blackmoon | 3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
Size

2.6MB
MD5

ee93f85ebd4faadb04fc34a3d7321a4e
SHA1

0ef87a6904b5f0668a66a12521f1737971c6bcee
SHA256

3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20
SHA512

8479b6b67727e3fe76cb6b9dc99d9c8cfee57ec24a14e5fce5fb477bcdc60b51db72055843e1f6c7a7c717e04241b5fe257b85ca0dba681e60ea1a6f2216b5d1
SSDEEP

49152:Mp6qkpHtyyj+KmfFYEMGjHOcI0zVGrlHOFhVcpP4Ru040vSwK:YQt1Lmf/HlFVGrlH2s4Ru040a

Score

10^/10

blackmoon banker discovery spyware stealer trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 25 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b6f-5.dat	family_blackmoon
behavioral2/files/0x0032000000023b76-11.dat	family_blackmoon
behavioral2/memory/3636-13-0x00000000026A0000-0x00000000028CF000-memory.dmp	family_blackmoon
behavioral2/memory/3636-15-0x00000000026A0000-0x00000000028CF000-memory.dmp	family_blackmoon
behavioral2/memory/3636-24-0x00000000026A0000-0x00000000028CF000-memory.dmp	family_blackmoon
behavioral2/memory/3636-36-0x00000000026A0000-0x00000000028CF000-memory.dmp	family_blackmoon
behavioral2/memory/3636-47-0x00000000026A0000-0x00000000028CF000-memory.dmp	family_blackmoon
behavioral2/memory/3636-43-0x0000000002630000-0x0000000002641000-memory.dmp	family_blackmoon
behavioral2/memory/3636-35-0x0000000002630000-0x0000000002641000-memory.dmp	family_blackmoon
behavioral2/memory/3636-34-0x0000000002630000-0x0000000002641000-memory.dmp	family_blackmoon
behavioral2/memory/3636-25-0x0000000002620000-0x000000000262F000-memory.dmp	family_blackmoon
behavioral2/memory/3636-48-0x00000000026A0000-0x00000000028CF000-memory.dmp	family_blackmoon
behavioral2/memory/3700-53-0x0000000002580000-0x00000000027AF000-memory.dmp	family_blackmoon
behavioral2/memory/3636-59-0x00000000026A0000-0x00000000028CF000-memory.dmp	family_blackmoon
behavioral2/memory/3636-52-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/3700-85-0x0000000003560000-0x0000000003571000-memory.dmp	family_blackmoon
behavioral2/memory/3700-79-0x0000000002580000-0x00000000027AF000-memory.dmp	family_blackmoon
behavioral2/memory/3700-84-0x0000000003560000-0x0000000003571000-memory.dmp	family_blackmoon
behavioral2/memory/3700-76-0x0000000002A60000-0x0000000002A6F000-memory.dmp	family_blackmoon
behavioral2/memory/3700-91-0x0000000002580000-0x00000000027AF000-memory.dmp	family_blackmoon
behavioral2/memory/3700-92-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/3700-95-0x0000000002580000-0x00000000027AF000-memory.dmp	family_blackmoon
behavioral2/memory/3700-96-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/3700-98-0x0000000002580000-0x00000000027AF000-memory.dmp	family_blackmoon
behavioral2/memory/3700-100-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	¾ýÁÙÌìÏÂ.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b7d-42.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	¾ýÁÙÌìÏÂ.exe

Executes dropped EXE 3 IoCs

pid	Process
556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
3636	¾ýÁÙÌìÏÂ.exe
3700	¾ýÁÙÌìÏÂ.exe

Loads dropped DLL 2 IoCs

pid	Process
3636	¾ýÁÙÌìÏÂ.exe
3700	¾ýÁÙÌìÏÂ.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\P:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\W:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\Y:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\A:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\E:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\G:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\L:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\R:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\Z:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\J:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\K:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\N:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\Q:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\V:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\B:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\H:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\T:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\U:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\I:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\O:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\S:	¾ýÁÙÌìÏÂ.exe
File opened (read-only)	\??\X:	¾ýÁÙÌìÏÂ.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcp30.dll	¾ýÁÙÌìÏÂ.exe
File opened for modification	C:\Windows\SysWOW64\msvcp30.ini	¾ýÁÙÌìÏÂ.exe
File created	C:\Windows\SysWOW64\msvcp30.dll	¾ýÁÙÌìÏÂ.exe
File opened for modification	C:\Windows\SysWOW64\msvcp30.ini	¾ýÁÙÌìÏÂ.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b7d-42.dat	upx
behavioral2/memory/3636-44-0x0000000073EC0000-0x0000000073EFC000-memory.dmp	upx
behavioral2/memory/3636-43-0x0000000002630000-0x0000000002641000-memory.dmp	upx
behavioral2/memory/3636-35-0x0000000002630000-0x0000000002641000-memory.dmp	upx
behavioral2/memory/3636-34-0x0000000002630000-0x0000000002641000-memory.dmp	upx
behavioral2/memory/3636-30-0x0000000002630000-0x0000000002641000-memory.dmp	upx
behavioral2/memory/3636-60-0x0000000073EC0000-0x0000000073EFC000-memory.dmp	upx
behavioral2/memory/3700-85-0x0000000003560000-0x0000000003571000-memory.dmp	upx
behavioral2/memory/3700-84-0x0000000003560000-0x0000000003571000-memory.dmp	upx
behavioral2/memory/3700-81-0x0000000003560000-0x0000000003571000-memory.dmp	upx
behavioral2/memory/3700-75-0x0000000073EC0000-0x0000000073EFC000-memory.dmp	upx
behavioral2/memory/3700-94-0x0000000073EC0000-0x0000000073EFC000-memory.dmp	upx
behavioral2/memory/3700-97-0x0000000073EC0000-0x0000000073EFC000-memory.dmp	upx
behavioral2/memory/3700-102-0x0000000073EC0000-0x0000000073EFC000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvcp30.ini	¾ýÁÙÌìÏÂ.exe
File created	C:\Windows\msvcp30.dll	¾ýÁÙÌìÏÂ.exe
File opened for modification	C:\Windows\msvcp30.ico	¾ýÁÙÌìÏÂ.exe
File opened for modification	C:\Windows\msvcp30.ini	¾ýÁÙÌìÏÂ.exe
File opened for modification	C:\Windows\msvcp30.dll	¾ýÁÙÌìÏÂ.exe
File created	C:\Windows\msvcp30.ico	¾ýÁÙÌìÏÂ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¾ýÁÙÌìÏÂ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¾ýÁÙÌìÏÂ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3700	¾ýÁÙÌìÏÂ.exe
3700	¾ýÁÙÌìÏÂ.exe
3060	msedge.exe
3060	msedge.exe
2068	msedge.exe
2068	msedge.exe
2296	identity_helper.exe
2296	identity_helper.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
Token: SeDebugPrivilege	3532	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
Token: SeDebugPrivilege	556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
Token: SeDebugPrivilege	556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
Token: SeDebugPrivilege	556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
Token: SeDebugPrivilege	3636	¾ýÁÙÌìÏÂ.exe
Token: SeDebugPrivilege	3636	¾ýÁÙÌìÏÂ.exe
Token: SeDebugPrivilege	3700	¾ýÁÙÌìÏÂ.exe
Token: SeDebugPrivilege	3700	¾ýÁÙÌìÏÂ.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
3532	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
3532	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3532	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
3636	¾ýÁÙÌìÏÂ.exe
3700	¾ýÁÙÌìÏÂ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 556	3532	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe	83
PID 3532 wrote to memory of 556	3532	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe	83
PID 3532 wrote to memory of 556	3532	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe	83
PID 556 wrote to memory of 3636	556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe	86
PID 556 wrote to memory of 3636	556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe	86
PID 556 wrote to memory of 3636	556	3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe	86
PID 3636 wrote to memory of 3700	3636	¾ýÁÙÌìÏÂ.exe	89
PID 3636 wrote to memory of 3700	3636	¾ýÁÙÌìÏÂ.exe	89
PID 3636 wrote to memory of 3700	3636	¾ýÁÙÌìÏÂ.exe	89
PID 3700 wrote to memory of 2068	3700	¾ýÁÙÌìÏÂ.exe	97
PID 3700 wrote to memory of 2068	3700	¾ýÁÙÌìÏÂ.exe	97
PID 2068 wrote to memory of 2556	2068	msedge.exe	98
PID 2068 wrote to memory of 2556	2068	msedge.exe	98
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 1056	2068	msedge.exe	99
PID 2068 wrote to memory of 3060	2068	msedge.exe	100
PID 2068 wrote to memory of 3060	2068	msedge.exe	100
PID 2068 wrote to memory of 3432	2068	msedge.exe	101
PID 2068 wrote to memory of 3432	2068	msedge.exe	101
PID 2068 wrote to memory of 3432	2068	msedge.exe	101
PID 2068 wrote to memory of 3432	2068	msedge.exe	101
PID 2068 wrote to memory of 3432	2068	msedge.exe	101
PID 2068 wrote to memory of 3432	2068	msedge.exe	101
PID 2068 wrote to memory of 3432	2068	msedge.exe	101
PID 2068 wrote to memory of 3432	2068	msedge.exe	101
PID 2068 wrote to memory of 3432	2068	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
"C:\Users\Admin\AppData\Local\Temp\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe
  "C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe
    "C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe
      "C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe" Master
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.30my.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffec9e346f8,0x7ffec9e34708,0x7ffec9e34718
        6⤵
        
        PID:2556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        6⤵
        
        PID:1056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
        6⤵
        
        PID:3432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        6⤵
        
        PID:2584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        6⤵
        
        PID:2716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
        6⤵
        
        PID:3164
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
        6⤵
        
        PID:844
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
        6⤵
        
        PID:1720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        6⤵
        
        PID:4984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
        6⤵
        
        PID:4176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5041841077324846004,9559045014927969745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
        6⤵
        
        PID:4544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
b10a1d5e961620fd1d616f90eb99787f

SHA1
1b65d2fa47dd2585909e76cbeb72e52f9f0a4fb6

SHA256
a915948a6ee7a2b4ca6b93fb2bd125cd40bb377a4152a9ee2021ded561bd5e61

SHA512
1fcb429389c6fad29879b1f8b8d8190c375d176f51d17d121e387d2aca615890f50bf18004976e4201d4b928f570f2a144ff595e131765732302daa9d8c0d570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
62f4d6ea4b17ce4a5906ace189ed60e4

SHA1
08fab9894950e537143d80a7c78e2bb65209eebb

SHA256
6605611fbe56b33c12491c8118c3a3fc5a27456f74f9c5fbadd7e0ff6e3ea723

SHA512
8b596ede908031a0c954e684454b7a0fdac542a7a2122ccc9a20ec0a259bde2b84f934b329cdb3480a58fc0fccea95f66ab01885b8c9ed974bb06f0b2a539d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
90c0bc23a9865b31a3fdf06fa668fbdb

SHA1
a6a4a6cb8ec4e65f8c4129d9a2b017fecfbffff7

SHA256
77ed98b38910e952b72702db0d8c1c85a4d4adc2a0fd468ca488736a474fe0f4

SHA512
f465580720e4e18dbe9e3aefcc16cbbb986eb0119f7006aec8e9b5937f47c650eb1eed2ffb5eb32b0dc7873e33a11ec756e222795c29211fd44e1b2fcc2224b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
959a50544ebe592b13e4d25e45354c3f

SHA1
6f945c8821e49656ee8ab9390fb9de942589086a

SHA256
318f495507ff86dee46dd135a71d92011bea17420b493dcab2bc545f240aebff

SHA512
693712169cf90ce6b62279a08c2780cc76a31dc0bda80c5b2ebae2aa90e83fd4f88ba0450dd8dae06c83da5a7c74c087d376c933cacd81d92769e4fe413c7389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
68671c74894f2a79160e47e8fb2c6c46

SHA1
a3f602000d4d10bd3bd5bea69dd63f21d0783afd

SHA256
cd6698dbbed37a4aabae9e213b46c6c6fd39fbcd19d17d8a551a01c9bfc81a76

SHA512
5c31627fa54f9bc7022cf88dd78196bc750e98d06ec52c0765b3c14eefdc0bd7df35576aab9d8881938310d4568f503f0588ebbf34e0153fccc748fb3e3c2b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c5355d97a30b305fc4c804428687597f

SHA1
4a0a413e91952d6810949a9c51ba943daf815302

SHA256
7cf6d29478df9fecfd96fbcb9b26b52b752ff91b42f274cf0e4b331d7bd6768c

SHA512
361088f48da20d9370ec6931115456700b524d1af4b16775aa694228fa7499cdac750e540fc5ddec87a1017fbd26b3c3d7e244fe96a271c305132b5928e9e030

Download Submit
C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20.exe

Filesize
2.6MB

MD5
ee93f85ebd4faadb04fc34a3d7321a4e

SHA1
0ef87a6904b5f0668a66a12521f1737971c6bcee

SHA256
3068c17ad51cf407433cc89e71b9190e7fcd8c82f914785c0e9487d24de61b20

SHA512
8479b6b67727e3fe76cb6b9dc99d9c8cfee57ec24a14e5fce5fb477bcdc60b51db72055843e1f6c7a7c717e04241b5fe257b85ca0dba681e60ea1a6f2216b5d1

Download Submit
C:\Users\Admin\AppData\Roaming\¾ýÁÙÌìÏÂ\¾ýÁÙÌìÏÂ.exe

Filesize
4.5MB

MD5
08cfce375a93146a24759f7bbbeb7823

SHA1
6e7c44ced4eaf20201ada64118ee1b26c5d02678

SHA256
baeba054f69683238e8a87b27097254a0ce27d736967fc998eae9f80e4e0d42e

SHA512
ab049d59a998cf81f9e1718366fb72901482af8291c0e62fc85abdfa4b682625911be77d39c3b1aca5fcf3bd72971b6c6b26257b46fef0499f1e8a36076b01e3

Download Submit
C:\Users\Admin\Desktop\¾ýÁÙÌìÏÂ.lnk

Filesize
1KB

MD5
f83ab567d502a47cc2719e9d9b6a9c44

SHA1
6a077b7f4033ccb4c506ca1b3027e45c7335e476

SHA256
96585a6568744c7e810df3158028559b65d13c36bb0c0e818e0473494c008b87

SHA512
329035d20c259c5a1aaa62cdba4dfc0f0e9dd0228836c98c6d9b6e4539f62d7d57a7029725512377997abfe9c6ae11034c5f96a51d6ad61fe1ca939db716a2ca

Download Submit
C:\Users\Admin\Desktop\Ä§Óò·¢²¼Íø.url

Filesize
120B

MD5
5c8c7c3ce78aa0a9d56f96ab77676682

SHA1
1a591e2d34152149274f46d754174aa7a7bb2694

SHA256
40a172493bd1337c6bfd9c0af15be6d6e5d539135dd766577a05362e859ff806

SHA512
8ef03cf1967157cf019d1e7b585a45042642d5a1d82c90ef68f1256e40fe162460e7c26919b1fdf8c33de9f95201ee6a13e69676436d7251a017c04fdf047a77

Download Submit
C:\Windows\SysWOW64\msvcp30.dll

Filesize
93KB

MD5
a6c4f055c797a43def0a92e5a85923a7

SHA1
efaa9c3a065aff6a64066f76e7c77ffcaaf779b2

SHA256
73bd285ac6fba28108cdc0d7311e37c4c4fc3ba7d0069c4370778ac3099e21a9

SHA512
d8120f7f59c212867c78af42f93db64d35f2d6eae7fc09021c0a6d8ca71a14bd2b2a3006027094ee2edcf65634dcdb3ac96da3ac810171fff021bed4c4254957

Download Submit
C:\Windows\SysWOW64\msvcp30.ini

Filesize
18B

MD5
2cd7883782c594d2e2654f8fe988fcbe

SHA1
042bcb87c29e901d70c0ad0f8fa53e0338c569fc

SHA256
aa98ce751ef6ac5401a9278f30c06e250dbbd5e8c2e2c378b0fdf33a205d7037

SHA512
88413dc63847682207d2b1e6cdfcb3de9cc73da5f900a1948e4aa262da20056bcb2486ee8a7c8a4f9b0aa3fdff6b99061262fbc67aebc99bf0b42e5bfc7db360

Download Submit
C:\Windows\msvcp30.ico

Filesize
264KB

MD5
bdccf3c42497089ae7001328305906ed

SHA1
cf6f28e09d98ebe516b408e6b15f03f5891fdc79

SHA256
5f191e3486c0bafdd237f8b79f6ce0f69d1f8c9f8c948d14ab061db36286b2f2

SHA512
d7876d8d414ca48903393aa523296ffe35bfa3c6b5bfc4ce70adfc93d31efa61a9bfeea571754cde2e205416e57c13df5c45551b5e6aae6eb53b951065ebbf5d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c06fec6d75762b5181389282098b299d

SHA1
bd823bd006cb0a6c18b8a155feb54672db799628

SHA256
af717e7dbdf0de9f042bdb55f6056f68d0d7b5cdf4c4de615ff36db496387ffe

SHA512
9a8f8423790ce0f30e4b1097279ce2020a90e388738ce264ec16a0b11e3d1d4f8abeb086e0c41b836409c7706ff58bd1e8d7f9870d48d15d6bd597f069d0d580

Download Submit
memory/3636-30-0x0000000002630000-0x0000000002641000-memory.dmp

Filesize
68KB

Download
memory/3636-35-0x0000000002630000-0x0000000002641000-memory.dmp

Filesize
68KB

Download
memory/3636-48-0x00000000026A0000-0x00000000028CF000-memory.dmp

Filesize
2.2MB

Download
memory/3636-59-0x00000000026A0000-0x00000000028CF000-memory.dmp

Filesize
2.2MB

Download
memory/3636-52-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/3636-13-0x00000000026A0000-0x00000000028CF000-memory.dmp

Filesize
2.2MB

Download
memory/3636-25-0x0000000002620000-0x000000000262F000-memory.dmp

Filesize
60KB

Download
memory/3636-49-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3636-34-0x0000000002630000-0x0000000002641000-memory.dmp

Filesize
68KB

Download
memory/3636-14-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3636-43-0x0000000002630000-0x0000000002641000-memory.dmp

Filesize
68KB

Download
memory/3636-44-0x0000000073EC0000-0x0000000073EFC000-memory.dmp

Filesize
240KB

Download
memory/3636-47-0x00000000026A0000-0x00000000028CF000-memory.dmp

Filesize
2.2MB

Download
memory/3636-36-0x00000000026A0000-0x00000000028CF000-memory.dmp

Filesize
2.2MB

Download
memory/3636-24-0x00000000026A0000-0x00000000028CF000-memory.dmp

Filesize
2.2MB

Download
memory/3636-60-0x0000000073EC0000-0x0000000073EFC000-memory.dmp

Filesize
240KB

Download
memory/3636-15-0x00000000026A0000-0x00000000028CF000-memory.dmp

Filesize
2.2MB

Download
memory/3700-79-0x0000000002580000-0x00000000027AF000-memory.dmp

Filesize
2.2MB

Download
memory/3700-102-0x0000000073EC0000-0x0000000073EFC000-memory.dmp

Filesize
240KB

Download
memory/3700-100-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/3700-98-0x0000000002580000-0x00000000027AF000-memory.dmp

Filesize
2.2MB

Download
memory/3700-96-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/3700-97-0x0000000073EC0000-0x0000000073EFC000-memory.dmp

Filesize
240KB

Download
memory/3700-95-0x0000000002580000-0x00000000027AF000-memory.dmp

Filesize
2.2MB

Download
memory/3700-92-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/3700-94-0x0000000073EC0000-0x0000000073EFC000-memory.dmp

Filesize
240KB

Download
memory/3700-91-0x0000000002580000-0x00000000027AF000-memory.dmp

Filesize
2.2MB

Download
memory/3700-75-0x0000000073EC0000-0x0000000073EFC000-memory.dmp

Filesize
240KB

Download
memory/3700-76-0x0000000002A60000-0x0000000002A6F000-memory.dmp

Filesize
60KB

Download
memory/3700-81-0x0000000003560000-0x0000000003571000-memory.dmp

Filesize
68KB

Download
memory/3700-84-0x0000000003560000-0x0000000003571000-memory.dmp

Filesize
68KB

Download
memory/3700-85-0x0000000003560000-0x0000000003571000-memory.dmp

Filesize
68KB

Download
memory/3700-53-0x0000000002580000-0x00000000027AF000-memory.dmp

Filesize
2.2MB

Download