raccoon | 0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515

Analysis

max time kernel
150s
max time network
153s
platform
windows10-1703_x64
resource
win10-20220722-en
resource tags

arch:x64arch:x86image:win10-20220722-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2022 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
Size

893KB
MD5

da7f06ed721db4dd18cc123c483aff24
SHA1

89d63c8642c3f86478aa4c9f3f9fe40ce45d92e8
SHA256

0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515
SHA512

9d72514ed180d2890d4e9ccf551062a78f5a2653624e9b6057fef03b250b18ef8216f6ed5ba7abdc4727c93881c6c3d1e0bbedda3a2ae06ae9d76dbfc8c878a7

Score

10^/10

raccoon redline 4 @tag12312341 f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

http://45.95.11.158/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1160-699-0x0000000000030000-0x000000000003F000-memory.dmp	family_raccoon
behavioral1/memory/1160-727-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon
behavioral1/memory/1160-837-0x0000000000030000-0x000000000003F000-memory.dmp	family_raccoon
behavioral1/memory/1160-852-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
behavioral1/memory/4112-484-0x0000000000590000-0x00000000005D4000-memory.dmp	family_redline
behavioral1/memory/2004-483-0x0000000000AE0000-0x0000000000B24000-memory.dmp	family_redline
behavioral1/memory/1820-580-0x0000000000AB0000-0x0000000000AD0000-memory.dmp	family_redline

Executes dropped EXE 8 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exenuplat.exereal.exesafert44.exetag.exeEU1.exe

pid process

1160 F0geI.exe
2708 kukurzka9000.exe
2004 namdoitntn.exe
2828 nuplat.exe
3824 real.exe
4112 safert44.exe
1820 tag.exe
1004 EU1.exe

pid	process
1160	F0geI.exe
2708	kukurzka9000.exe
2004	namdoitntn.exe
2828	nuplat.exe
3824	real.exe
4112	safert44.exe
1820	tag.exe
1004	EU1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Control Panel\International\Geo\Nation	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

Processes:

0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\nuplat.exe	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe

Drops file in Windows directory 8 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3456 3824 WerFault.exe real.exe

pid	pid_target	process	target process
3456	3824	WerFault.exe	real.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1b9221d4c39dd801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{2941E3B3-744B-4356-8B0C-B5F2C5645D96}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b5a3f23d97acd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = a0fba25b0faed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1b9221d4c39dd801	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

real.exesafert44.exetag.exenamdoitntn.exe

pid process

3824 real.exe
3824 real.exe
4112 safert44.exe
4112 safert44.exe
1820 tag.exe
1820 tag.exe
2004 namdoitntn.exe
2004 namdoitntn.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

5048 MicrosoftEdgeCP.exe
5048 MicrosoftEdgeCP.exe
5048 MicrosoftEdgeCP.exe
5048 MicrosoftEdgeCP.exe
5048 MicrosoftEdgeCP.exe
5048 MicrosoftEdgeCP.exe

pid	process
3824	real.exe
3824	real.exe
4112	safert44.exe
4112	safert44.exe
1820	tag.exe
1820	tag.exe
2004	namdoitntn.exe
2004	namdoitntn.exe

pid	process
5048	MicrosoftEdgeCP.exe
5048	MicrosoftEdgeCP.exe
5048	MicrosoftEdgeCP.exe
5048	MicrosoftEdgeCP.exe
5048	MicrosoftEdgeCP.exe
5048	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exesafert44.exetag.exenamdoitntn.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	4504	MicrosoftEdge.exe
Token: SeDebugPrivilege	4504	MicrosoftEdge.exe
Token: SeDebugPrivilege	4504	MicrosoftEdge.exe
Token: SeDebugPrivilege	4504	MicrosoftEdge.exe
Token: SeDebugPrivilege	4940	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4940	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4940	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4940	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4112	safert44.exe
Token: SeDebugPrivilege	1820	tag.exe
Token: SeDebugPrivilege	2004	namdoitntn.exe
Token: SeDebugPrivilege	5384	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5384	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4504 MicrosoftEdge.exe
5048 MicrosoftEdgeCP.exe
5048 MicrosoftEdgeCP.exe

pid	process
4504	MicrosoftEdge.exe
5048	MicrosoftEdgeCP.exe
5048	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2240 wrote to memory of 1160	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	F0geI.exe
PID 2240 wrote to memory of 1160	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	F0geI.exe
PID 2240 wrote to memory of 1160	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	F0geI.exe
PID 2240 wrote to memory of 2708	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	kukurzka9000.exe
PID 2240 wrote to memory of 2708	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	kukurzka9000.exe
PID 2240 wrote to memory of 2708	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	kukurzka9000.exe
PID 2240 wrote to memory of 2004	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	namdoitntn.exe
PID 2240 wrote to memory of 2004	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	namdoitntn.exe
PID 2240 wrote to memory of 2004	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	namdoitntn.exe
PID 2240 wrote to memory of 2828	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	nuplat.exe
PID 2240 wrote to memory of 2828	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	nuplat.exe
PID 2240 wrote to memory of 2828	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	nuplat.exe
PID 2240 wrote to memory of 3824	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	real.exe
PID 2240 wrote to memory of 3824	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	real.exe
PID 2240 wrote to memory of 3824	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	real.exe
PID 2240 wrote to memory of 4112	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	safert44.exe
PID 2240 wrote to memory of 4112	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	safert44.exe
PID 2240 wrote to memory of 4112	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	safert44.exe
PID 2240 wrote to memory of 1820	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	tag.exe
PID 2240 wrote to memory of 1820	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	tag.exe
PID 2240 wrote to memory of 1820	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	tag.exe
PID 2240 wrote to memory of 1004	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	EU1.exe
PID 2240 wrote to memory of 1004	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	EU1.exe
PID 2240 wrote to memory of 1004	2240	0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe	EU1.exe
PID 5048 wrote to memory of 2260	5048	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 5048 wrote to memory of 2260	5048	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 5048 wrote to memory of 2260	5048	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 5048 wrote to memory of 2260	5048	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 5048 wrote to memory of 2688	5048	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 5048 wrote to memory of 2688	5048	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 5048 wrote to memory of 2688	5048	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 5048 wrote to memory of 2688	5048	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe
"C:\Users\Admin\AppData\Local\Temp\0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files (x86)\Company\NewProduct\nuplat.exe
"C:\Program Files (x86)\Company\NewProduct\nuplat.exe"
2⤵
- Executes dropped EXE
PID:2828

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1252
3⤵
- Program crash
PID:3456

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:2708

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:1004

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4480

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2664

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5488

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1KB46KER.cookie
Filesize
340B

MD5
bc41fee2a40dcc5b714680ba3295efdc

SHA1
52152a862b218e4609b01d1e5215d761242d9803

SHA256
786ee9db7a62dff9133ba62a314e0c701eb6a62d3f3573b533005901bddebd9d

SHA512
6f3376285e1779fbf0bd9861dcce9aaa72e28b3786a47a727363262f39c3ea6e806a5ea15db555f36c49941ebbfa391ac771ec170691d637a2ac1eadec80ac24

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\DYYFEXZ0.cookie
Filesize
508B

MD5
d9fbf1c291f778013715fa6ab49bd277

SHA1
8bbe86006467e0a40c40fe4cdd326d0c42f58eca

SHA256
daa7c9e02c6aad432c0708a1a433344dafb18ad6a36e97a0ad69459312ebe5d9

SHA512
43ad6286fd41d468f9a99bd31e5cf95e19a8cccf8910f24608b26d45c3662218e75220469aaacff6dada3422e275dfd16c06ed609bec810c7639c43c211010c6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\LDIVWTR6.cookie
Filesize
172B

MD5
9232846507185a4821ebda93ceb71a5f

SHA1
ffd5e40be64f3ca0f2a6e413086abf563dd9cd93

SHA256
22d84b21898266198a4c55c5625fbc31886811c72453af45fcf25b30a4f8f9cc

SHA512
fb0fba65eb0aa383574f952385f72d692c4ac92bc09b1686a4d2d6b41b00aaa95ff9d8f2c336f0b4582e5d8376459e837551ddca1f5df91bbfa5994336b63163

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\PKNG9U1S.cookie
Filesize
424B

MD5
10cbe16c3f7bafcbfddd2324e663ec21

SHA1
7dcb595e15f929ba90c7ff4f616a2367806b8366

SHA256
3d516dc49b548705ce907a28df99852d0b473d3fdf2aef1cb4aa1520f9a6eaad

SHA512
0b2e157e24a5641acce216e18f032f3e0069b3d6599a9a7499dd1720f4df59ac5114fb8606abdc601f604388b9c0f6d89af9d592ee852c428b64529fb4857b39

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VUKZ5QEZ.cookie
Filesize
256B

MD5
bbf2598cac3be6f64ca63c849534df00

SHA1
3c26bfbcccfcc601e1f15cf6409ac410c78b26a0

SHA256
e920c1e4d355b980c6b86318c8e8bd2e8b0f8f7b74d8d160aac4cc991ae5b6ae

SHA512
a2aefb1466b7e829104503a2b9f9ff998edb26ff5f7e40f1f8524b755fdfd183e07fd73f6a02f9adb9ff501685adcc6df00ceade3a8ba1ac177c1800c747d089

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
80e04972dbadb63c3aef5d5dcfe691b2

SHA1
d0b818efb24e964d94055ce63c978d7ce131a9bf

SHA256
6e8cfa2cc51d08c4d4e943a9d396ed658e5d0ead8a0af7daa1c614d6c7e8b999

SHA512
3b604442b5cb3fca01ef6c0bc57a3cb004900eabf6115158b10bd2bfbd3d989e1d3a1dab2af6cb5058e2bd51f2111c668cf945bdbb95af0dd06deaba06d8cbbb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
62071fac619f325f23e9e729853cec6f

SHA1
e6718b4248602464731633777754dbde571fdb38

SHA256
98e376f673125dd569de8595573e21ea7d7ffe830e73fedd64b155b4e2478dee

SHA512
19c756fb15d3e831ccb4ac53d7bf3e27522be791b68082b14b63aa27dfe7766756f8e7a61b34efb58e827006ea18bae97d147a271b336373bb80712d930a66f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
62071fac619f325f23e9e729853cec6f

SHA1
e6718b4248602464731633777754dbde571fdb38

SHA256
98e376f673125dd569de8595573e21ea7d7ffe830e73fedd64b155b4e2478dee

SHA512
19c756fb15d3e831ccb4ac53d7bf3e27522be791b68082b14b63aa27dfe7766756f8e7a61b34efb58e827006ea18bae97d147a271b336373bb80712d930a66f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
62071fac619f325f23e9e729853cec6f

SHA1
e6718b4248602464731633777754dbde571fdb38

SHA256
98e376f673125dd569de8595573e21ea7d7ffe830e73fedd64b155b4e2478dee

SHA512
19c756fb15d3e831ccb4ac53d7bf3e27522be791b68082b14b63aa27dfe7766756f8e7a61b34efb58e827006ea18bae97d147a271b336373bb80712d930a66f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
fc9d997fb538d8247f5b6008313428a1

SHA1
d1f0c5ed7bd2f6a18a3cb26e5414c913d12d0178

SHA256
06c115b8795b1c60dd03cf47bc9bf4ab6107638bd5a4e6ff248b60641c9ddd42

SHA512
bfd1873bd00581d5d82a52dd91dfd08249a85b4e36d37f5bca3d57157b5260f9e7d262ebc7e934631df6c85a1908fb278706d1555facfc16d0b45529f544452b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
2544df7e5997d00ae12b6c4cbafb1942

SHA1
1373f0310dfed46028cfea2f121afee30c73004e

SHA256
81fa62855b1ea60a146330bee0bce4755e9a95da67aace59864f487101b77340

SHA512
1d881ea345fef7ac9f640469b71d4f3b78ef4d90fa8c7738a1a736b534839e7ab92f9a8de76fc14b240fa1785a3e5dca8b3f1b4af17b28b4da36ab8e8c2ca013

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
b6a713503daf7acf1552c26d1bf5614c

SHA1
74e444198cc5583bb44686da8837d18fd9c51652

SHA256
e33b98d213113d051b1f07ab0e663a6c1a68006c9d3df474fb2c729383055c61

SHA512
3a41a0a009127f44d10b27716f806414e50491466d3b6ae284d70ec7ed3960107986b771f65cab7f9eb9f5847c1b8d8fe5e2e92abeb4e1b6eaace36c132261a7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
memory/1004-545-0x0000000000000000-mapping.dmp

Download
memory/1160-727-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-699-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/1160-695-0x00000000009C2000-0x00000000009D3000-memory.dmp

Filesize
68KB

Download
memory/1160-837-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/1160-839-0x00000000009C2000-0x00000000009D3000-memory.dmp

Filesize
68KB

Download
memory/1160-852-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-281-0x0000000000000000-mapping.dmp

Download
memory/1160-878-0x00000000009C2000-0x00000000009D3000-memory.dmp

Filesize
68KB

Download
memory/1820-425-0x0000000000000000-mapping.dmp

Download
memory/1820-580-0x0000000000AB0000-0x0000000000AD0000-memory.dmp

Filesize
128KB

Download
memory/1820-685-0x0000000005330000-0x000000000536E000-memory.dmp

Filesize
248KB

Download
memory/1820-854-0x0000000007910000-0x0000000007AD2000-memory.dmp

Filesize
1.8MB

Download
memory/1820-855-0x0000000008010000-0x000000000853C000-memory.dmp

Filesize
5.2MB

Download
memory/2004-286-0x0000000000000000-mapping.dmp

Download
memory/2004-483-0x0000000000AE0000-0x0000000000B24000-memory.dmp

Filesize
272KB

Download
memory/2004-836-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/2004-822-0x0000000008820000-0x0000000008D1E000-memory.dmp

Filesize
5.0MB

Download
memory/2004-522-0x0000000002DB0000-0x0000000002DB6000-memory.dmp

Filesize
24KB

Download
memory/2240-142-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-161-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-182-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-183-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-185-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-184-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-186-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-187-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-188-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-189-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-190-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-175-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-127-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-128-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-174-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-129-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-130-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-172-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-131-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-132-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-171-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-170-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-169-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-168-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-167-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-166-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-165-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-164-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-154-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-157-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-163-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-162-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-133-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-177-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-180-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-179-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-178-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-160-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-156-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-158-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-159-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-181-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-173-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-134-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-136-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-135-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-155-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-153-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-152-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-137-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-151-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-150-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-149-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-148-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-147-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-146-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-145-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-144-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-143-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-176-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-141-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-140-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-139-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-138-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2708-284-0x0000000000000000-mapping.dmp

Download
memory/2708-628-0x0000000003CC0000-0x0000000003CD2000-memory.dmp

Filesize
72KB

Download
memory/2708-635-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2708-821-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2828-290-0x0000000000000000-mapping.dmp

Download
memory/3824-295-0x0000000000000000-mapping.dmp

Download
memory/4112-670-0x000000000A660000-0x000000000A76A000-memory.dmp

Filesize
1.0MB

Download
memory/4112-527-0x00000000028C0000-0x00000000028C6000-memory.dmp

Filesize
24KB

Download
memory/4112-704-0x000000000A600000-0x000000000A64B000-memory.dmp

Filesize
300KB

Download
memory/4112-660-0x000000000AAA0000-0x000000000B0A6000-memory.dmp

Filesize
6.0MB

Download
memory/4112-813-0x000000000A8C0000-0x000000000A926000-memory.dmp

Filesize
408KB

Download
memory/4112-301-0x0000000000000000-mapping.dmp

Download
memory/4112-840-0x000000000BA70000-0x000000000BAC0000-memory.dmp

Filesize
320KB

Download
memory/4112-665-0x000000000A530000-0x000000000A542000-memory.dmp

Filesize
72KB

Download
memory/4112-484-0x0000000000590000-0x00000000005D4000-memory.dmp

Filesize
272KB

Download
memory/4112-831-0x000000000B590000-0x000000000B622000-memory.dmp

Filesize
584KB

Download
memory/4112-827-0x000000000B470000-0x000000000B4E6000-memory.dmp

Filesize
472KB

Download