c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf

Analysis

max time kernel
1640s
max time network
1427s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
17-03-2022 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf.zip
Size

116KB
MD5

4dc8ba09c045dd5a7337bb11ac971358
SHA1

3bc46bc37b2493ec53ecf391077d564cb7ed6755
SHA256

c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf
SHA512

a5adc9ab69b8de2970d85f6543106777e1c9149cb9f2b7daa4ffca0dc5ebb72ceac7ece46d1ce613a5c5be9b54e524a4f0b0350666fba417ff56f3a5d8816548

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\181cd27d-55f3-47b7-a3b3-2d5452bab608.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220317121346.pma	setup.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXEEXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXEEXCEL.EXEWINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: AddClipboardFormatListener 7 IoCs

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXEEXCEL.EXE

pid process

4124 WINWORD.EXE
4124 WINWORD.EXE
3900 WINWORD.EXE
3900 WINWORD.EXE
1576 WINWORD.EXE
1576 WINWORD.EXE
2652 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

2692 msedge.exe
2692 msedge.exe
3860 msedge.exe
3860 msedge.exe
1224 identity_helper.exe
1224 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

3860 msedge.exe
3860 msedge.exe
3860 msedge.exe
3860 msedge.exe
3860 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
2692	msedge.exe
2692	msedge.exe
3860	msedge.exe
3860	msedge.exe
1224	identity_helper.exe
1224	identity_helper.exe

pid	process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeTcbPrivilege	1440	svchost.exe
Token: SeTcbPrivilege	1440	svchost.exe
Token: SeTcbPrivilege	1440	svchost.exe
Token: SeTcbPrivilege	1440	svchost.exe
Token: SeTcbPrivilege	1440	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3860 msedge.exe
3860 msedge.exe
3860 msedge.exe

pid	process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXEEXCEL.EXE

pid	process
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
3900	WINWORD.EXE
3900	WINWORD.EXE
3900	WINWORD.EXE
3900	WINWORD.EXE
3900	WINWORD.EXE
3900	WINWORD.EXE
3900	WINWORD.EXE
1576	WINWORD.EXE
1576	WINWORD.EXE
1576	WINWORD.EXE
1576	WINWORD.EXE
1576	WINWORD.EXE
1576	WINWORD.EXE
1576	WINWORD.EXE
1576	WINWORD.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3860 wrote to memory of 2792	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2792	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 740	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2692	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2692	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4236	3860	msedge.exe	msedge.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf.zip
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\RFQ.pdf
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc8add46f8,0x7ffc8add4708,0x7ffc8add4718
2⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
2⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
2⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
2⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
2⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
2⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5608 /prefetch:6
2⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff71c835460,0x7ff71c835470,0x7ff71c835480
3⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
2⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
2⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
2⤵
PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4260

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\Technical qualification statement.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\commercial qualification statement.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\406 - Low Value Purchase Order.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\rfq_6000026477_technical_bid_submission_sheet.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
MD5
eeb419f0e23c5383bdf86c1aaa98a580

SHA1
d1be514290b8f73faf4f45120c20d8d3724a0e9a

SHA256
ba385e8e081b8521bba756343976a75a632505f1ef503a86a4c00cfa73002379

SHA512
17abe58755a95b810163b5a5936218b12bf9a0d7c53f182cdb70e5b05d2d7fafa7e4cf4c376119db765faa99f0502706a3691b9801594446df266d113417e5ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD5
dfb4812068b1036a1f9f9078e6937343

SHA1
70d325bdd2fe4603cae52ad56e6a8ef8903f3240

SHA256
ef7d817b9ece8664f21b470b8cd6168931b8c5156a33012c1f995e8480134a62

SHA512
b9ba7c6eb7cba5e25ce34816693e94151a5ecba95e83f31b674beefa02351a861b18f37286b397aa3c517f49b6c454bff9b994a239351bdf7571fbc53383340a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
MD5
a641a61334386429641750ae229e4591

SHA1
60ca8f787bb411038c89285c3593babcc65d16ea

SHA256
fbeb4ca289b93e2ed84207e0afbd550ee3b3baccb562b5de047e37357fb5c3d5

SHA512
fedb7b37413d92b9e0407b1bf351108ed33270ff6ff4eb6496b3a3c180945fc04604f428c31b62108bb9e19c40a417f16dd856493ba30f788c3083d854ff5b56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD5
5d0fee9a7ff822abfd93714a38131c8b

SHA1
25ad31f6edbff865ae002352ae844613074a7054

SHA256
81fe2a0105332dce9d3b00946ac6b3756cd54c57c35d7202cb3e499f21d302ae

SHA512
914aa41caf702add486359e490e0efba946fac80b6b061f9e450059318ded8c2b81715127b3568b33d2a3ce57c97020383a70c6488eb0a2820482ef61db87910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\428BC7BA-99B6-438F-9AF3-807D4C185885
MD5
f92089330c05b1c937b320940d0761c0

SHA1
9247498168e2a58bddd1654de15a584650be2cb8

SHA256
c7a1b95aa7464c95497adbc6ba9999fb42698e80e31d63033a1b2ff215de4790

SHA512
f986433063e08415a3422ec927f65fa816e95438316f32550346bf0a102f39fcf10f18600ef6f98bd3ff68ea2aa36168a4984076ae6df9df2a18b0066a5758d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
MD5
bb5122013e9da21ebcd7cf8bbfd442d8

SHA1
137dc37b75c41a0edca25bc20dab16729c23d5f5

SHA256
fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3

SHA512
6582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3860_1651514225\561b267d-84e8-4c62-b0b7-4e064be02aa2
MD5
e1e5c20a754c68872e8abbf1d84875e8

SHA1
3cc98edfc0a925f39c7b78ae4ec4e4425b0fd661

SHA256
dd94940b6330d77e7797a60de1183cca7b0f71ab247bea8f9ae0ff30eafc379f

SHA512
59d2ce41bfc0764a699ad0ea6eb0ff38ac05c8dfdc15004ccffc4182dc53bf5cacd77274a1d24f0cf0489edf2abea99efb0d4af7ba7d84c21e793c89273a9279

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
MD5
6fe66a5131b9baee3fa67163b36c666b

SHA1
3e578570b6dc9952ab8185861036c6cd7561ec01

SHA256
b7e09741c0503067d279fb6a44a30540b94722f707cb79cf5faec8e672e96386

SHA512
fb26a50859c76483f95eb6825b0cfdd9c514ca8002a651123f59f2572bc904330b59e354a1e00652c2835c5f958f0f2a4b58787c6ff0072fdcb2abfd32098e3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
MD5
a18eb58807259af682a568bfb8d7544f

SHA1
68064c09a373a9242443931d50783d7b43f4c869

SHA256
742405ad6ca89a6130af418e25c40fa92f2b13812cf0998e201c94dfb46b3a03

SHA512
4408bb109c7893780c5cdbede0e33d053415663032730f2a31f58a796f9ac78798fb2b93090595a460092ce5d5dbb11eeb96f0534edaab4f4b164b88d6732b58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
MD5
a021af0a3eadbe1e624037d7dddbc76a

SHA1
7cfd2574a7f9c980ead5e670ed17ccf9883b87bc

SHA256
a974bdbe3e8c8a2c41bde512d463e2694649027f6019bd0ba569fbbc76979dfb

SHA512
eeedc011a916bb6932dded3e2f062799ee6b78445d0d34bd6fa4891a6d93501444114717303e7838cb138c07a1172cd06732f8a01ae6be3cf3f8aceaf517b405

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
MD5
a29216152329b6923be226025d70d8ca

SHA1
8618e335a0d67969c069768c605fbc85ce98b25a

SHA256
fcbbf13dc970c8e4ffca368745dd00b90b9f1a755603d2c6bec217fb74278cc4

SHA512
3bb74f3f2a4fcac1428871cde188383e0f2e59d19232537949221c3cfd8d9adff2f0ce786e5c67db8c402a4cdc05017a92657ed6994cf11753c08759ce4c0083

Download Submit
\??\pipe\LOCAL\crashpad_3860_UEXZVXVINWYOUQQT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/740-134-0x00007FFCA8710000-0x00007FFCA8711000-memory.dmp

Filesize
4KB

Download
memory/1576-242-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-241-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-240-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-238-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-239-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-237-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-236-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-235-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-234-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-233-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-232-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-243-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-231-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-244-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-245-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-246-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-247-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/1576-256-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-262-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-263-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-265-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-264-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-266-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-267-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-268-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-269-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-270-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-271-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-207-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-208-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-210-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-206-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-205-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-220-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-204-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-203-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-202-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-201-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-199-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-198-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-196-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-194-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-195-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-189-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-188-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-187-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4020-130-0x000001EAE2D60000-0x000001EAE2D70000-memory.dmp

Filesize
64KB

Download
memory/4020-132-0x000001EAE5370000-0x000001EAE5374000-memory.dmp

Filesize
16KB

Download
memory/4020-131-0x000001EAE2F80000-0x000001EAE2F90000-memory.dmp

Filesize
64KB

Download
memory/4020-289-0x000001EAE56C0000-0x000001EAE56C4000-memory.dmp

Filesize
16KB

Download
memory/4020-290-0x000001EAE56B0000-0x000001EAE56B1000-memory.dmp

Filesize
4KB

Download
memory/4020-294-0x000001EAE5290000-0x000001EAE5291000-memory.dmp

Filesize
4KB

Download
memory/4020-293-0x000001EAE5390000-0x000001EAE5394000-memory.dmp

Filesize
16KB

Download
memory/4020-292-0x000001EAE5390000-0x000001EAE5391000-memory.dmp

Filesize
4KB

Download
memory/4020-291-0x000001EAE53A0000-0x000001EAE53A4000-memory.dmp

Filesize
16KB

Download
memory/4124-178-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download
memory/4124-164-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-175-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-174-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-173-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-172-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-171-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-170-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-169-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-168-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-167-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-166-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-165-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-176-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-163-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-162-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-161-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-160-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-159-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download
memory/4124-177-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download
memory/4124-179-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download
memory/4124-180-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download
memory/4124-181-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmp

Filesize
2.0MB

Download
memory/4124-158-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download
memory/4124-157-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download
memory/4124-156-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download
memory/4124-155-0x00007FFC69430000-0x00007FFC69440000-memory.dmp

Filesize
64KB

Download