fd499bc100639521062479c286c991c61b80c6dd77f9760b06419530aa281eee

Resubmissions

28-05-2022 04:44

220528-fc3bqshcf7 8

28-05-2022 04:40

220528-fat8cadchk 3

28-05-2022 04:28

220528-e328zsdagk 8

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
28-05-2022 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

?????.exe
Size

1.1MB
MD5

50d655c1028aea459d40bf26039d17fd
SHA1

eb836fc9323c52f809c8eab1b2bf925f8ecb32c7
SHA256

4ced3461bf68cffbc35c50d02496235721236ad52305e874d852c7f9f00ab249
SHA512

509ac8e9307a489783f396160c6343dc2a1b3306bb5e4ab8dda4580a6c411eba5160974aebe4d6aca40cf21ab1bf4b8e7f0f1056bc82e61e0a0c146883b66a81

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\654de847-d5be-4b98-bba2-8077b3585164.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220528044547.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

regedit.exe_____.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	_____.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	_____.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	_____.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\IESettingSync	_____.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	_____.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	_____.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\IEExt.htm"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\MenuExt	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\IEGetAll.htm"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\International\CpMRU	_____.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	_____.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	_____.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	regedit.exe

Modifies registry class 64 IoCs

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\downlWithIDM64.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ = "ICIDMLinkTransmitter"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\0\win32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1\ = "VLinkProcessor Class"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CurVer\ = "IDMIECC.IDMIEHlprObj.1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM integration (IDMIEHlprObj Class)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\ = "IDMIEHlprObj Class"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\Programmable	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\idmfsa.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\IDManTypeInfo.tlb"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage.1\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CLSID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\VersionIndependentProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ = "IDMAllLinksProcessor Class"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\downlWithIDM64.dll, 101"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\ = "V2LinkProcessor Class"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib\Version = "1.0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib\Version = "1.0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\downlWithIDM.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib\ = "{ECF21EAB-3AA8-4355-82BE-F777990001DD}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID\ = "IDMIECC.IDMIEHlprObj"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\idmfsa.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version\ = "1.0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\downlWithIDM.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ = "IDMDwnlMgr Class"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID\ = "DownlWithIDM.VLinkProcessor"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\Version = "1.0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\TypeLib	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regedit.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

5040 regedit.exe

pid	process
5040	regedit.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

_____.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
5036	_____.exe
3248	msedge.exe
3248	msedge.exe
1144	msedge.exe
1144	msedge.exe
6124	identity_helper.exe
6124	identity_helper.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

msedge.exe

pid	process
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

msedge.exe

pid process

1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

_____.exe

pid process

5036 _____.exe
5036 _____.exe
5036 _____.exe
5036 _____.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

_____.exemsedge.exe

description	pid	process	target process
PID 5036 wrote to memory of 5040	5036	_____.exe	regedit.exe
PID 5036 wrote to memory of 5040	5036	_____.exe	regedit.exe
PID 1144 wrote to memory of 3748	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3748	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5008	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3248	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3248	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 5012	1144	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\_____.exe
"C:\Users\Admin\AppData\Local\Temp\_____.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\e56b0c8.tmp
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Runs regedit.exe
  PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2181242%26ciaid%3Dactpermedge%26source%3DwindowsSearch
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeaaeb46f8,0x7ffeaaeb4708,0x7ffeaaeb4718
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5868
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7466d5460,0x7ff7466d5470,0x7ff7466d5480
    3⤵
    PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3392 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15921448410715334358,5031310787606700934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:3416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e56b0c8.tmp

Filesize
65KB

MD5
f0ab67d70ad45facdcd5077f4201971d

SHA1
b662ed906a5e30920f05d40d38eaf4029af4fb2c

SHA256
3da75830db228205a6aa910fe98d58097ddef0dc46080ae82e5785e370fadc03

SHA512
2cac64471d5ef929c52018fb0e90993986f03bc4d66b0f2112d179141015c2cddee4fdd7af3a06e2f4aec6a7b4595a2880e8d0897b52b2d138bb503c8d387b44

Download Submit
\??\pipe\LOCAL\crashpad_1144_QAQGGQHLGAGMQMFV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2156-159-0x0000000000000000-mapping.dmp

Download
memory/3248-135-0x0000000000000000-mapping.dmp

Download
memory/3416-164-0x0000000000000000-mapping.dmp

Download
memory/3748-132-0x0000000000000000-mapping.dmp

Download
memory/3768-142-0x0000000000000000-mapping.dmp

Download
memory/4152-157-0x0000000000000000-mapping.dmp

Download
memory/4648-140-0x0000000000000000-mapping.dmp

Download
memory/4832-144-0x0000000000000000-mapping.dmp

Download
memory/5008-134-0x0000000000000000-mapping.dmp

Download
memory/5012-137-0x0000000000000000-mapping.dmp

Download
memory/5040-130-0x0000000000000000-mapping.dmp

Download
memory/5416-162-0x0000000000000000-mapping.dmp

Download
memory/5556-161-0x0000000000000000-mapping.dmp

Download
memory/5600-146-0x0000000000000000-mapping.dmp

Download
memory/5684-148-0x0000000000000000-mapping.dmp

Download
memory/5760-150-0x0000000000000000-mapping.dmp

Download
memory/5868-151-0x0000000000000000-mapping.dmp

Download
memory/5916-152-0x0000000000000000-mapping.dmp

Download
memory/6124-153-0x0000000000000000-mapping.dmp

Download
memory/6140-155-0x0000000000000000-mapping.dmp

Download