redline | 03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b

Analysis

max time kernel
151s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14-08-2022 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe
Size

1.1MB
MD5

d4216a074263ea8b5346c98fce937390
SHA1

dd53f20dfa19976ec6a0e0ed9519c96e0384f893
SHA256

03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b
SHA512

2e8c8ffc9df499f7405d5dbe5eacad37b1eb8e5f68c9f3e15bb0d87a15fbeca691e2708da5ce59eb3e744b70231a7955eb2f8e75c8b09e3d65c628e37a9bc17d

Score

10^/10

redline 5 nam3 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral1/memory/4704-475-0x0000000000C20000-0x0000000000C40000-memory.dmp	family_redline
behavioral1/memory/312-474-0x0000000000E50000-0x0000000000E94000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exeme.exe

pid process

592 F0geI.exe
1080 kukurzka9000.exe
4704 namdoitntn.exe
192 real.exe
312 safert44.exe
4836 me.exe

pid	process
592	F0geI.exe
1080	kukurzka9000.exe
4704	namdoitntn.exe
192	real.exe
312	safert44.exe
4836	me.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\International\Geo\Nation	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

Processes:

03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe

Drops file in Windows directory 6 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000a7073fbacfe366a661abde0cb84019019fbc3374f3947597ec272c34f81a0496ce3d39a654e152fbd9d20ab6e16a26362c5f56c98e4ce927a61f799025d3802b83343876dc9b742a27c3c94d0c5e6d95926886a777b90cf48ed4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bf301b1ba3afd801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\AA549154B737EF29C = 030000000100000014000000aa549154b737ef29c55000081fdf1f8b3ebb40910400000001000000100000001e9b655c2563f0f8b7cf2fa979f89a920f00000001000000200000001c169fb8bea23cbb597a7d0330f5f2c6fb82969934da9d676058363ca94854c614000000010000001400000039c8e33fb6d4c223863e8a9838ee2fcbbe567a13190000000100000010000000baa9030082855b9e52cb543799fa36f35c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000e7050000308205e3308203cba003020102021333000001d92cb2c0c2c9e054b40000000001d9300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3232303630373138323634325a170d3233303930373138323634325a3081a5310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3123302106092a864886f70d0109011614777362657870406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d345fb3624263a3b1856614f76c90c184e75fc1ab123f51b38c31a32311a70bbec8667c0831a74b00255149eac86eb0b2e4bc21010346a0bfaed29bbba29ab5e69a8b707f955c12eeb575a70cfeccd7ca8de3de7c883dd7bb79e85c8062128750eba60d9bcb6e0a21a4e97deef8cdff249e7d7ed312b8ed769c00c80629fc31ffe942f792d67b8e360f084858065ca7c0114a231072d7380b9ee828b1e717bc81938d5c58b75f12f457d4320f90a11d1d326e0b24c69dcbb185054bf8ab0c136f8f38264911aca2edaa93754a9685eb0878b62800020838f656e4d7d3aa53a0cc07d76cfbc7d77f570346cd2bba3836d24428c2723dd6e39afd107c0f7889bdd0203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e0416041439c8e33fb6d4c223863e8a9838ee2fcbbe567a13301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c36cdc2a65c64372b6118a63a5c7ed1ecfa5b939531465ca9af136bd76d942a74ad37481be984496cd20deca7b469dc4f2e439db9e2e0eafd2b4dcab7c7b0d131a98a88e9c34787d209fe84fd1bf1031c31a63a794d8448654d9f6e1267ca9513f6d9bb17be844f225a15133665568503b50bdd2b74e1199b3afbb822dc3d9b07147f374427991b7d04234dfb77c7b4518a554b65b69b318ff2be7e541762de2726789d01f2f866523861aea19ff8ccbfaafc7d78fc242aca7f74d6ba335b4c3d7c7b5b1f5b8dbb6b3104f24dbb8f95b39ecfbdc1a4469ab254263371e8f231c32c68c574290c81c388c3148200344d9b9b3fa8bb6394ac2536f66803302873f3f857bbdbe279d9bf7d2df3422c9bf927ef7b8eb92e872fdfac7cd1fd185847555b4239740734d043b167098ede21a83d5b35431fbd4768905a474218801cf320084043f608133bc8c26752c6b15210859dad17f3cdb1f8546c8cde2b5ccb6634681aaf88339eeab1ad92b8e4babf96333a99e6ff7ada19433913a8101d63b36fcccade21ec6a41cdb44d3abad7c4065368e51eb46b5c237c37bbf04c89871e2e0da20d2e569eaf67b19787ed46c2038faf181bd00cd1d5ff1fee0ad70b457528415fce74f37c22e3bfb1b17d57e59200625989090a2bb1e3b238cb348768a98126537198be58282f64856420280d5858fc0575182dbc6d1fb4f7611b339babc	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0237231aa3afd801	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{2468038C-8658-4221-8131-1ED6D1F1FFE3} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a5e85836a3afd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{0B846224-0479-434E-A7B2-66E00D638941}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4f299419a3afd801	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = a0e0af7ed5afd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 00a55136a3afd801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

real.exenamdoitntn.exesafert44.exe

pid process

192 real.exe
192 real.exe
4704 namdoitntn.exe
4704 namdoitntn.exe
312 safert44.exe
312 safert44.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

2860 MicrosoftEdgeCP.exe
2860 MicrosoftEdgeCP.exe
2860 MicrosoftEdgeCP.exe
2860 MicrosoftEdgeCP.exe

pid	process
192	real.exe
192	real.exe
4704	namdoitntn.exe
4704	namdoitntn.exe
312	safert44.exe
312	safert44.exe

pid	process
2860	MicrosoftEdgeCP.exe
2860	MicrosoftEdgeCP.exe
2860	MicrosoftEdgeCP.exe
2860	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exenamdoitntn.exesafert44.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	1524	MicrosoftEdge.exe
Token: SeDebugPrivilege	1524	MicrosoftEdge.exe
Token: SeDebugPrivilege	1524	MicrosoftEdge.exe
Token: SeDebugPrivilege	1524	MicrosoftEdge.exe
Token: SeDebugPrivilege	3996	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3996	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3996	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3996	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4704	namdoitntn.exe
Token: SeDebugPrivilege	312	safert44.exe
Token: SeDebugPrivilege	4684	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4684	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1524 MicrosoftEdge.exe
2860 MicrosoftEdgeCP.exe
2860 MicrosoftEdgeCP.exe

pid	process
1524	MicrosoftEdge.exe
2860	MicrosoftEdgeCP.exe
2860	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2276 wrote to memory of 592	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	F0geI.exe
PID 2276 wrote to memory of 592	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	F0geI.exe
PID 2276 wrote to memory of 592	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	F0geI.exe
PID 2276 wrote to memory of 1080	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	kukurzka9000.exe
PID 2276 wrote to memory of 1080	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	kukurzka9000.exe
PID 2276 wrote to memory of 1080	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	kukurzka9000.exe
PID 2276 wrote to memory of 4704	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	namdoitntn.exe
PID 2276 wrote to memory of 4704	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	namdoitntn.exe
PID 2276 wrote to memory of 4704	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	namdoitntn.exe
PID 2276 wrote to memory of 192	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	real.exe
PID 2276 wrote to memory of 192	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	real.exe
PID 2276 wrote to memory of 192	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	real.exe
PID 2276 wrote to memory of 312	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	safert44.exe
PID 2276 wrote to memory of 312	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	safert44.exe
PID 2276 wrote to memory of 312	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	safert44.exe
PID 2276 wrote to memory of 4836	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	me.exe
PID 2276 wrote to memory of 4836	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	me.exe
PID 2276 wrote to memory of 4836	2276	03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe	me.exe
PID 2860 wrote to memory of 4700	2860	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2860 wrote to memory of 4700	2860	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2860 wrote to memory of 4700	2860	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2860 wrote to memory of 4700	2860	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2860 wrote to memory of 4660	2860	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2860 wrote to memory of 4660	2860	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2860 wrote to memory of 4660	2860	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2860 wrote to memory of 4660	2860	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe
"C:\Users\Admin\AppData\Local\Temp\03aa04ba5e33493632300e4eebfa03226d2e1c2154750b373819c2907428892b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2276

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:592

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:1080

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:192

C:\Program Files (x86)\Company\NewProduct\me.exe
"C:\Program Files (x86)\Company\NewProduct\me.exe"
2⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
ec59f38fa35c0cf3babd976f5f23c74e

SHA1
2f7600ac9df0869fae48d99afe9569d83efafc8b

SHA256
6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

SHA512
d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
ec59f38fa35c0cf3babd976f5f23c74e

SHA1
2f7600ac9df0869fae48d99afe9569d83efafc8b

SHA256
6d0d294e321014a3129d3533ce143f08b0a3639cc50ddaf236396b82a595925e

SHA512
d4d2c4078dd40bc57d421750ac26f5467f082f6b4fae422d574ca406b928b6bb1e4f7cbb80a80b11f3908134028c6b7bb3b67c17e02d1899a6cda6e0312c3574

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
281KB

MD5
0856c11e41b1bf5e5aafb44fa4eaae4e

SHA1
3bb9039bbe89b2058c7c7d0537d7ddaa8f5d2826

SHA256
0721243b2d897a8734838ac4fbd402dab5a247a973f08fc82703a565c516911f

SHA512
f5605d5d0ef514dd6f571c30b79608a6ddbb8fb025c2750448a758295a0f3fc47a1b973aab0e061f8361b696c920ebb54073ef109cfd14cd08cdb98b9a1b7726

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
281KB

MD5
0856c11e41b1bf5e5aafb44fa4eaae4e

SHA1
3bb9039bbe89b2058c7c7d0537d7ddaa8f5d2826

SHA256
0721243b2d897a8734838ac4fbd402dab5a247a973f08fc82703a565c516911f

SHA512
f5605d5d0ef514dd6f571c30b79608a6ddbb8fb025c2750448a758295a0f3fc47a1b973aab0e061f8361b696c920ebb54073ef109cfd14cd08cdb98b9a1b7726

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
282KB

MD5
474861050e6a7b65bc4521096cb05454

SHA1
4e1aabe27598171a89c219aab860b325a4358b22

SHA256
ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

SHA512
42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
282KB

MD5
474861050e6a7b65bc4521096cb05454

SHA1
4e1aabe27598171a89c219aab860b325a4358b22

SHA256
ccd962957659555af7c607deb20a4ec34a1578af037d5310ffd07bd092f0ebc7

SHA512
42afff00dd616fc73d1c338184149ddb66376e808cd2da39a94357c8d296a245ab0f1e474aac1789d613efef3c1867e0c3a2e41c07ac21bcc07e00ea08309a79

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\2K0XILZM.cookie
Filesize
336B

MD5
261f9f471e3831e8b40dd4e1aff12a99

SHA1
b51ad8407330fae762665594fffb9b52d6f70c47

SHA256
f18f9cade7b44e85a60c8254024a1d1f01c38ddbcf6b55689d1b35b84931e619

SHA512
a99cf27081e2fd6d9718afdb37ef50cc077182e497a8a74efe9eb230c912b96fcf14c240f174938231a57957a3063c10c0cdeefa4f549075c2a9eff5cc00d192

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\H0FDZXTQ.cookie
Filesize
253B

MD5
3b4f203a930008d073733ed025d81f4e

SHA1
1fcd24ed04bea9af66777eaf00be21674c38e449

SHA256
15d2949227d29fd25a05858f83248f250bfb409961b7ed0b2c9163cdb1e015ef

SHA512
49e6bbb9baa8a13ed9b2d63e5666c5ad23d25a61e39d197e08bfc5fd250cfa64c60f60724883f77deed8a58e5f570090ab5a7296ce811f6d4641b47fd8138f19

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\JVPNCHJL.cookie
Filesize
170B

MD5
81b9370ee7e30edd9249aed307815cab

SHA1
bd41dcf0e2412bbd4de6213b6527ed6b5f527b6a

SHA256
f00941b6a993bf49f40b76d9f2a8b045736c5d4e460b7538c138ff1f6e232710

SHA512
bcd64dc8fc37c3b38098c9bcf709fe3be7948cf4c11ca4588d1cbf811a033ae538d4122eaf1fbd51d636e032a169043b6f62ce3bd59863de8afbebd8547cad04

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
38e6e695026b8e0b5b1172191b1bf2a8

SHA1
0b89304a72cf0561609fdb0d1e5cbf4a380794d2

SHA256
8fb608b0f47bf77139cfe93cf45737affbf58ea54d098a8ef64be01b40268f6f

SHA512
f02f89349895bb99bf946a488ba7b49091e9eaff4f4f44d3bb537b610b6dbfb81d90255c90cb182512ad1cf8efc374173447979db4c15e57382f122cd383ca50

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
38e6e695026b8e0b5b1172191b1bf2a8

SHA1
0b89304a72cf0561609fdb0d1e5cbf4a380794d2

SHA256
8fb608b0f47bf77139cfe93cf45737affbf58ea54d098a8ef64be01b40268f6f

SHA512
f02f89349895bb99bf946a488ba7b49091e9eaff4f4f44d3bb537b610b6dbfb81d90255c90cb182512ad1cf8efc374173447979db4c15e57382f122cd383ca50

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
38e6e695026b8e0b5b1172191b1bf2a8

SHA1
0b89304a72cf0561609fdb0d1e5cbf4a380794d2

SHA256
8fb608b0f47bf77139cfe93cf45737affbf58ea54d098a8ef64be01b40268f6f

SHA512
f02f89349895bb99bf946a488ba7b49091e9eaff4f4f44d3bb537b610b6dbfb81d90255c90cb182512ad1cf8efc374173447979db4c15e57382f122cd383ca50

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
83caa00b5f288b978b8d604f541e45c5

SHA1
e72b2cc04bcb60af51d156ff364d772d64e21d58

SHA256
6bb2a9b6fb08745f2041163a813dce0b07ac1090a88702a0dd77bda5e7168201

SHA512
37a4e449325a449a68e88a280f43cc46eea96f1bda161337df0fe61b7e6a66bb1d9b0f5b5b92013b54144fb5055064a9294311f12f082d19b1dd14c67cc6f6c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
2f8e3fc20e2001ab42a2513f60505df7

SHA1
1b614bff21ee057fff83d9bc0a81c19766088549

SHA256
66755074a515baf7bdd5b35b343086e21ef72fca40cf15c4436dd1368e0525ca

SHA512
0ff44b57062f1c62418822e17db8d5d57804ad8624a3885d71510e6e7413c735004e6a6422e16299c75ded9a2281e934224ac9d2085ebfcaf586c24b1156a537

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
memory/192-259-0x0000000000000000-mapping.dmp

Download
memory/312-646-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/312-267-0x0000000000000000-mapping.dmp

Download
memory/312-677-0x0000000006D00000-0x0000000006D50000-memory.dmp

Filesize
320KB

Download
memory/312-511-0x0000000003040000-0x0000000003046000-memory.dmp

Filesize
24KB

Download
memory/312-570-0x0000000005D80000-0x0000000006386000-memory.dmp

Filesize
6.0MB

Download
memory/312-662-0x00000000068A0000-0x0000000006916000-memory.dmp

Filesize
472KB

Download
memory/312-474-0x0000000000E50000-0x0000000000E94000-memory.dmp

Filesize
272KB

Download
memory/312-596-0x0000000005830000-0x000000000586E000-memory.dmp

Filesize
248KB

Download
memory/592-478-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-243-0x0000000000000000-mapping.dmp

Download
memory/592-643-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/592-644-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-465-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/592-472-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/1080-598-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1080-595-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1080-591-0x0000000003DA0000-0x0000000003DB2000-memory.dmp

Filesize
72KB

Download
memory/1080-247-0x0000000000000000-mapping.dmp

Download
memory/2276-146-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-117-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-162-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-163-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-165-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-166-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-164-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-167-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-168-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-169-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-170-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-171-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-172-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-173-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-174-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-175-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-176-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-177-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-178-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-179-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-180-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-160-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-159-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-158-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-157-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-118-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-156-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-155-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-154-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-153-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-152-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-151-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-119-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-150-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-149-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-148-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-147-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-161-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-145-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-144-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-120-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-143-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-142-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-141-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-140-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-139-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-138-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-137-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-121-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-122-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-136-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-135-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-134-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-133-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-132-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-131-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-130-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-123-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-129-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-128-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-127-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-126-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-125-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2276-124-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4704-612-0x0000000005930000-0x000000000597B000-memory.dmp

Filesize
300KB

Download
memory/4704-576-0x0000000007910000-0x0000000007A1A000-memory.dmp

Filesize
1.0MB

Download
memory/4704-572-0x0000000005B80000-0x0000000005B92000-memory.dmp

Filesize
72KB

Download
memory/4704-475-0x0000000000C20000-0x0000000000C40000-memory.dmp

Filesize
128KB

Download
memory/4704-651-0x0000000008040000-0x000000000853E000-memory.dmp

Filesize
5.0MB

Download
memory/4704-663-0x0000000007BE0000-0x0000000007C72000-memory.dmp

Filesize
584KB

Download
memory/4704-668-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

Filesize
120KB

Download
memory/4704-669-0x0000000008710000-0x00000000088D2000-memory.dmp

Filesize
1.8MB

Download
memory/4704-670-0x0000000008E10000-0x000000000933C000-memory.dmp

Filesize
5.2MB

Download
memory/4704-255-0x0000000000000000-mapping.dmp

Download
memory/4836-274-0x0000000000000000-mapping.dmp

Download