b1e1c263f2199cdb3bcf29a0c7a7e114fd73490639d438a42eacfa7e8b0487b7

Analysis

max time kernel
186s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueStacksInstaller_5.9.140.1014_native_6f8f65bf1720a18c73c08ab944aa69a2_1.exe
Size

786KB
MD5

e4701efaa6829d632b00b4c8b72ab879
SHA1

0a23aed7818aa2efcb1c182cfe3345cacef7b7c2
SHA256

b1e1c263f2199cdb3bcf29a0c7a7e114fd73490639d438a42eacfa7e8b0487b7
SHA512

73db6424f52bd691cd496ea7bec8dc12fafb80c7d2cdede957f34218e0ffee735e85402c28d10d21b1f75446eba87846472a149d728b118964625d1dcb375462
SSDEEP

12288:givtCXQd0RYK13v6qQdeRPHKS5g69vqW/mnxl4d0eCAESVFwUw5h6gM:givtCXF13v6qQOqR69immxheC+EUw5kP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4088	BlueStacksInstaller.exe
3580	HD-CheckCpu.exe
3372	HD-CheckCpu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	BlueStacksInstaller_5.9.140.1014_native_6f8f65bf1720a18c73c08ab944aa69a2_1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3527210738"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985248"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985248"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000094f9bf2111c775120bc2c2211ac71ae7b8bc19c4ad2bffdb06c75ef909e7f377000000000e80000000020000200000003d61e8a5a7ca5809e9c98e67e3fb9ec92b483c55a2f20accccc249db7e553164200000004fc1a93d428ed0b2354104aae10ec7d35e2cd671f313daf86ad8d827aeca63e640000000fdd3b51b421f8285cafff22e2b596bac4cd070f82042b2bc402eb8823ebc64acb69fd73e85f3e1e1b6b77b0c85fb459205255679327eed433f1425e068908e96	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 300df6d220ccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4AC37244-3814-11ED-89AC-4A8324823CC0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3491651640"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04ba80d21ccd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3491651640"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "yes"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370354377"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FB184771-3813-11ED-89AC-4A8324823CC0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3492284779"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\AutoHide = "yes"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000cf5bd3eb85e2beb978d1d462a83162905ea9d4bb2d4326f35f33200ef9ddcfb1000000000e80000000020000200000008924ab6f280f9730f37a90712e59c3de8912e9d26a3dd964bdee2c45d7fc8c4720000000c23ecb68c2cb197a6d872d4c776b3bb90721462a288b0c4256b320e6b544821840000000627206675c062d880427bf4c32c56a582371c72d2fd119a5920af21a557203c8c9cc014e87c4104018a5f51f245418e8cfd7302753fa3d116fa1df2c6774cb76	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3527210738"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4088	BlueStacksInstaller.exe
4088	BlueStacksInstaller.exe
4088	BlueStacksInstaller.exe
4088	BlueStacksInstaller.exe
4088	BlueStacksInstaller.exe
4088	BlueStacksInstaller.exe
4088	BlueStacksInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	BlueStacksInstaller.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4920	iexplore.exe
5020	iexplore.exe
3400	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4920	iexplore.exe
4920	iexplore.exe
5020	iexplore.exe
5020	iexplore.exe
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
1484	IEXPLORE.EXE
1484	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
5020	iexplore.exe
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
3400	iexplore.exe
3400	iexplore.exe
4508	IEXPLORE.EXE
4508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 4088	1840	BlueStacksInstaller_5.9.140.1014_native_6f8f65bf1720a18c73c08ab944aa69a2_1.exe	81
PID 1840 wrote to memory of 4088	1840	BlueStacksInstaller_5.9.140.1014_native_6f8f65bf1720a18c73c08ab944aa69a2_1.exe	81
PID 3424 wrote to memory of 5020	3424	MSOXMLED.EXE	95
PID 3424 wrote to memory of 5020	3424	MSOXMLED.EXE	95
PID 2388 wrote to memory of 4920	2388	MSOXMLED.EXE	94
PID 2388 wrote to memory of 4920	2388	MSOXMLED.EXE	94
PID 2160 wrote to memory of 4492	2160	MSOXMLED.EXE	97
PID 2160 wrote to memory of 4492	2160	MSOXMLED.EXE	97
PID 4920 wrote to memory of 1484	4920	iexplore.exe	98
PID 4920 wrote to memory of 1484	4920	iexplore.exe	98
PID 4920 wrote to memory of 1484	4920	iexplore.exe	98
PID 5020 wrote to memory of 4280	5020	iexplore.exe	99
PID 5020 wrote to memory of 4280	5020	iexplore.exe	99
PID 5020 wrote to memory of 4280	5020	iexplore.exe	99
PID 4088 wrote to memory of 3580	4088	BlueStacksInstaller.exe	100
PID 4088 wrote to memory of 3580	4088	BlueStacksInstaller.exe	100
PID 4088 wrote to memory of 3580	4088	BlueStacksInstaller.exe	100
PID 4088 wrote to memory of 3372	4088	BlueStacksInstaller.exe	102
PID 4088 wrote to memory of 3372	4088	BlueStacksInstaller.exe	102
PID 4088 wrote to memory of 3372	4088	BlueStacksInstaller.exe	102
PID 4532 wrote to memory of 3400	4532	MSOXMLED.EXE	116
PID 4532 wrote to memory of 3400	4532	MSOXMLED.EXE	116
PID 3400 wrote to memory of 4508	3400	iexplore.exe	117
PID 3400 wrote to memory of 4508	3400	iexplore.exe	117
PID 3400 wrote to memory of 4508	3400	iexplore.exe	117

C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.9.140.1014_native_6f8f65bf1720a18c73c08ab944aa69a2_1.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.9.140.1014_native_6f8f65bf1720a18c73c08ab944aa69a2_1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\7zS0376A856\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0376A856\BlueStacksInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\7zS0376A856\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0376A856\HD-CheckCpu.exe" --cmd checkHypervEnabled
    3⤵
    - Executes dropped EXE
    PID:3580
- - C:\Users\Admin\AppData\Local\Temp\7zS0376A856\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0376A856\HD-CheckCpu.exe" --cmd checkSSE4
    3⤵
    - Executes dropped EXE
    PID:3372

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\PopDisable.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\PopDisable.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5020 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4280

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\PopDisable.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\PopDisable.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4920 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1484

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\PopDisable.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\PopDisable.xml
  2⤵
  - Modifies Internet Explorer settings
  PID:4492

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\eb6d51f5c9394f52b547d589c94116a9 /t 4076 /p 4088
1⤵
PID:2092

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\PopDisable.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\PopDisable.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3400 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
520071a63bb5e2038486cd0ce14055b1

SHA1
752cfb61bbe3ae1e2c2609c53aeee510661a59ed

SHA256
f8a989e9cf1fe0f0000c795537122a3c727e3b570b66582bfb62d9bbae4b20f8

SHA512
6f0131c9e0943c6a13d52a7525e1c592c95db868bf2dd21a8a37254150a239748985cc31518d0c4844bebfc5613feee6857b5debfbbbd6ed4539cd5e494ebbb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
520071a63bb5e2038486cd0ce14055b1

SHA1
752cfb61bbe3ae1e2c2609c53aeee510661a59ed

SHA256
f8a989e9cf1fe0f0000c795537122a3c727e3b570b66582bfb62d9bbae4b20f8

SHA512
6f0131c9e0943c6a13d52a7525e1c592c95db868bf2dd21a8a37254150a239748985cc31518d0c4844bebfc5613feee6857b5debfbbbd6ed4539cd5e494ebbb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
3279a44b6a7aacda365b26871d3804f5

SHA1
4c35b0c4e73586d211e44dd6f30bb34271c644bd

SHA256
46c6502a5a4fd3aa6efddbb197e853c243ea1aef0d416cb5c4356f6981051805

SHA512
5ba5df708c0a3f5d29b57c9d05a324ca793bc5c7e8c7dd1ebe435bf9fc51f4655e401d77ac1f81361ae18ecf08b33c1055df6ddb77499f274d359f40f93b9784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
a29b4e9eac65133f54d085c4a3b40b30

SHA1
affb8788aa234f0ac03f07317f272e5a61733f80

SHA256
4908c30d44fdb238721ccc0e242309594db44aa55e6a5e9493e0897468879c6c

SHA512
85291fdea942c680968364dad142d4b387d58c03253aaf109d961b37911c6ac0be5cec5ff528e4d21f4ee363b79dd8e6fbb9436203dc58283889896ce95c4dbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FB184771-3813-11ED-89AC-4A8324823CC0}.dat

Filesize
5KB

MD5
38643d45831483e54cebbbbc10270260

SHA1
e2e1071f8c55a5529f8ae0288fcf0f416b79335c

SHA256
d787cf466b81ecb8994e373f889c1af81aedc0ab7ef408883cdd19c51fe060b1

SHA512
01044a0a9376c4031c59136a5707065d6d3f270d42e172dfc9935bbc5c908a56f66d174bd1fa29a8e1d16c7569c144ce3c81127fea9bbf718502ffdd66e60d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FB184771-3813-11ED-89AC-4A8324823CC0}.dat

Filesize
5KB

MD5
f58c46e72f9efcc3000b28bb59260ce6

SHA1
c3cf1258e9204d5c2e854bdd4328efe5d3595550

SHA256
e4b92349342e619cea5f3391bff6fb7b8b668cb2c594026a56bad047263d8d05

SHA512
2099cf8b0fa7ae0a831e60dda9f8ff856b030f40b4f6c881f2c070c541b7a08f907174b0df585e851b8b6f93a00a0ef9fd2acdf5ef10adf0656b10688a7d766e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FB186E81-3813-11ED-89AC-4A8324823CC0}.dat

Filesize
5KB

MD5
20370449f56eb47e5b6da79828c4773e

SHA1
aa47f1b82d333ca0859c40aa35e01211f80de2e7

SHA256
f84b6e576e8f1e111369a8496ddcf9adb578db521ec0384f788087240f0f4e6d

SHA512
92489f27c06d7bf8545cf8dc5111808cb4a1df03b17333bd0723a7fcb3b8734bc8aa79b6ed66f3f4a2a244a0f92583eb2157f1f640875aee58bfd4135f882cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{45B4FC55-3814-11ED-89AC-4A8324823CC0}.dat

Filesize
5KB

MD5
be2652c421d81bec35c27b7a179b8c8c

SHA1
39f9292bed858b542b6aa5bd1d8f2877cf09abcd

SHA256
867158ffcb7360dad1a12fe41163ae92a4d332f88729eaabf7b8b8fcfe514edc

SHA512
8f46f25d2411f9423868f70056de8dc7f26fc9ec7ba3835dad3b6acb29e709c2111bbbfe744a3dcff505112fdbc448ea5965e3b566de1cfddb85ff229cfa4108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{45B4FC56-3814-11ED-89AC-4A8324823CC0}.dat

Filesize
4KB

MD5
fccfbf2c15a35f59359369bacb3e0d43

SHA1
c3baf91cc55f1bcb6683ea4940f95744547de024

SHA256
2c6941c9600d44098fa340584f1741dc6ab0e7eca7cd3aaabd848620b4b5c0a2

SHA512
ddc2ce03929ee2e6a889d78a128efec18bcf87a2c09d4a1d4d994768ca6c288cfecbad6b7a527ce60e3758319c103a49afea7d87c1c21b44bf71dfb9e6dc6301

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\backicon.png

Filesize
15KB

MD5
7ff5dc8270b5fa7ef6c4a1420bd67a7f

SHA1
b224300372feaa97d882ca2552b227c0f2ef4e3e

SHA256
fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1

SHA512
f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\checked_gray.png

Filesize
538B

MD5
ce144d2aab3bf213af693d4e18f87a59

SHA1
df59dc3dbba88bdc5ffc25f2e5e7b73ac3de5afa

SHA256
d8e502fab00b0c6f06ba6abede6922ab3b423fe6f2d2f56941dabc887b229ad3

SHA512
0f930edd485a0d49ef157f6cc8856609c087c91b77845adeb5cc8c8a80ebc7ec5416df351ffa1af780caad884dbb49dcc778b0b30de6fb7c85ffef22d7220ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\close_red.png

Filesize
15KB

MD5
93216b2f9d66d423b3e1311c0573332d

SHA1
5efaebec5f20f91f164f80d1e36f98c9ddaff805

SHA256
d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb

SHA512
922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\custom.png

Filesize
17KB

MD5
03b17f0b1c067826b0fcc6746cced2cb

SHA1
e07e4434e10df4d6c81b55fceb6eca2281362477

SHA256
fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b

SHA512
67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\installer_bg.jpg

Filesize
42KB

MD5
162c23f5962381efba79be503b41089c

SHA1
fc5a95e6eb2bb015fe27457873528c24b3bc459d

SHA256
04d70d0968675290294df78800ed48fe4a681a72803405fbdc541b927b445457

SHA512
9bd6e634d6cb362ab40f2646ca59a865f05e6049ac55b9d03b3df1f8e853715119438771196a351ca98c6cb61a212bbc0bedb7bf2d306563f6198353a7680c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\installer_logo.png

Filesize
7KB

MD5
d6f746b61d5c91d6688faab54ecc74c3

SHA1
9581cafbc93d6189c7e0633bd43dfd017510f731

SHA256
ed7e205b0ccdd454d4fa47c48834ad36a6e9fb51f4042a2dcd39a7fe01244d95

SHA512
0139711388976628ebd46a2f1dc7e0c38184d3b4ab63a8f2b6c8cd9e6032cddcd2dafb8ce4ab3ba8008beba9d6c3e444577cd7953bb48e39635e5c9666fdf478

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\installer_minimize.png

Filesize
113B

MD5
38b539a1e4229738e5c196eedb4eb225

SHA1
f027b08dce77c47aaed75a28a2fce218ff8c936c

SHA256
a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2

SHA512
2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\setpath.png

Filesize
15KB

MD5
b2e7f40179744c74fded932e829cb12a

SHA1
a0059ab8158a497d2cf583a292b13f87326ec3f0

SHA256
5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b

SHA512
b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Assets\unchecked_gray.png

Filesize
192B

MD5
e50df2a0768f7fc4c3fe8d784564fea3

SHA1
d1fc4db50fe8e534019eb7ce70a61fd4c954621a

SHA256
671f26795b12008fbea1943143f660095f3dca5d925f67d765e2352fd7ee2396

SHA512
c87a8308a73b17cbdd179737631fb1ba7fdaeb65e82263f6617727519b70a81266bb695867b9e599c1306ee2cf0de525452f77ce367ca89bf870ea3ae7189998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\BlueStacksInstaller.exe

Filesize
553KB

MD5
9cd4479d22ea06eb7b5712b9d561298d

SHA1
59a11467de60f8d5453c49dc22c892c952c405c0

SHA256
b52fa423cfed9e287b81f494af9fc4f3e43c56f002a7fa4c52c9aa5108e8e831

SHA512
165c60f0f6dd46a06b018d4b5ff57cece739cdfa932fd7a145c91dfe923715ca03f012f40c524648571e6ebcab822c98b6ee59b61b4e311699afd422bc977b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\BlueStacksInstaller.exe

Filesize
553KB

MD5
9cd4479d22ea06eb7b5712b9d561298d

SHA1
59a11467de60f8d5453c49dc22c892c952c405c0

SHA256
b52fa423cfed9e287b81f494af9fc4f3e43c56f002a7fa4c52c9aa5108e8e831

SHA512
165c60f0f6dd46a06b018d4b5ff57cece739cdfa932fd7a145c91dfe923715ca03f012f40c524648571e6ebcab822c98b6ee59b61b4e311699afd422bc977b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\HD-CheckCpu.exe

Filesize
211KB

MD5
764ac83167adcd8d2273f6bff7d769b2

SHA1
bf6a46b8c03d7efb16fdd6e4ce0a5e4362f41957

SHA256
e81e0444ba2deb4056872d1c4f9b01971bb4fb376c6434c942718da7c39190bf

SHA512
a3a484aaf5cfdff1c198c37f3055409dc066646db3d61e74bfef2b4ce212d95fd43d3e3b239e080ba9fab62eae23cd4b54b6b466fad3192845b43d4212ccd667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\HD-CheckCpu.exe

Filesize
211KB

MD5
764ac83167adcd8d2273f6bff7d769b2

SHA1
bf6a46b8c03d7efb16fdd6e4ce0a5e4362f41957

SHA256
e81e0444ba2deb4056872d1c4f9b01971bb4fb376c6434c942718da7c39190bf

SHA512
a3a484aaf5cfdff1c198c37f3055409dc066646db3d61e74bfef2b4ce212d95fd43d3e3b239e080ba9fab62eae23cd4b54b6b466fad3192845b43d4212ccd667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\HD-CheckCpu.exe

Filesize
211KB

MD5
764ac83167adcd8d2273f6bff7d769b2

SHA1
bf6a46b8c03d7efb16fdd6e4ce0a5e4362f41957

SHA256
e81e0444ba2deb4056872d1c4f9b01971bb4fb376c6434c942718da7c39190bf

SHA512
a3a484aaf5cfdff1c198c37f3055409dc066646db3d61e74bfef2b4ce212d95fd43d3e3b239e080ba9fab62eae23cd4b54b6b466fad3192845b43d4212ccd667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\Locales\i18n.en-US.txt

Filesize
14KB

MD5
b236225dbe5a894b772e229dd188a71f

SHA1
dabcd1ecc4d78dae86154e6d2d7cd3a1bc40dafb

SHA256
d8e5ff88aea65acbc7acb465425c49b8d56a3511c411d3306c416737c0939a35

SHA512
b727a45502be8186377416a1399c0a76b03863c42d51028aabe4655fc5f2c0c4ff422dd822d8c6f86affc04bac9583cc0252fccabe3149e080aef7990e5a2738

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0376A856\ThemeFile

Filesize
80KB

MD5
c3e6bab4f92ee40b9453821136878993

SHA1
94493a6b3dfb3135e5775b7d3be227659856fbc4

SHA256
de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6

SHA512
a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
5KB

MD5
8f39a79b662b60955bc9f3fc993c9e76

SHA1
f0089dbc61417e404ced1db88f8c35b7f938e8f6

SHA256
9f3c0eb967fbd632b1a86e247cf481846095843e2d5cdbe590d54b656bb47f9a

SHA512
e05f92713ca0aa1746c98c807a97b2dddf855aee6b98c915a9d4ae2ccd3a51c5165776e2cc3cecf014cd76e702412ed9513dfb34f9880b371dd997bd27a8e45c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
5KB

MD5
8f39a79b662b60955bc9f3fc993c9e76

SHA1
f0089dbc61417e404ced1db88f8c35b7f938e8f6

SHA256
9f3c0eb967fbd632b1a86e247cf481846095843e2d5cdbe590d54b656bb47f9a

SHA512
e05f92713ca0aa1746c98c807a97b2dddf855aee6b98c915a9d4ae2ccd3a51c5165776e2cc3cecf014cd76e702412ed9513dfb34f9880b371dd997bd27a8e45c

Download Submit
memory/2388-156-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/2388-151-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/2388-149-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/2388-146-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/2388-145-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/2388-143-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/3424-157-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/3424-160-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/3424-153-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4088-191-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4088-137-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4088-189-0x0000000022B20000-0x0000000022B28000-memory.dmp

Filesize
32KB

Download
memory/4088-140-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4088-139-0x0000000002E00000-0x0000000002E68000-memory.dmp

Filesize
416KB

Download
memory/4088-172-0x00000000216A0000-0x00000000216D8000-memory.dmp

Filesize
224KB

Download
memory/4088-173-0x0000000021670000-0x000000002167E000-memory.dmp

Filesize
56KB

Download
memory/4088-136-0x0000000000C70000-0x0000000000CFE000-memory.dmp

Filesize
568KB

Download
memory/4088-142-0x000000001D3C0000-0x000000001D8E8000-memory.dmp

Filesize
5.2MB

Download
memory/4532-200-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4532-202-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4532-203-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4532-204-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4532-205-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4532-206-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4532-201-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4532-199-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download
memory/4532-198-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

Filesize
64KB

Download