remcos | e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6

Analysis

max time kernel
202s
max time network
214s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30-11-2022 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
Size

754KB
MD5

d963ac1435b96872ea5380743976002a
SHA1

5f043557947581d52642d2622ea88e3d133861bf
SHA256

e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6
SHA512

24ca9faa7c4af577ee1cf5e5966968eab5a1c186eefdcb351efd59e6310103b5180ab931446c4b37f9a3ed834bd39a876585d2b8755cf49356afdb2d25ed7648
SSDEEP

12288:AOXBqPwNK7sb7/sn1gSp4JZQwcJ4ogRM6qLQxs8iKFhpezUQtD9jq:Te7w7En1gSp4TCYW4i8l7ezUA9j

Score

10^/10

remcos nov end microsoft evasion persistence phishing rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Nov End

terzona2022.duckdns.org:3030

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows input text.exe
copy_folder
Microsoft Text
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Microsoft Sound Text
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 4 IoCs

Processes:

Windows input text.exeWindows input text.exeWindows input text.exeWindows input text.exe

pid process

4632 Windows input text.exe
808 Windows input text.exe
1792 Windows input text.exe
1752 Windows input text.exe

pid	process
4632	Windows input text.exe
808	Windows input text.exe
1792	Windows input text.exe
1752	Windows input text.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exeWindows input text.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Text = "\"C:\\Windows\\Microsoft Text\\Windows input text.exe\""	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows input text.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Text = "\"C:\\Windows\\Microsoft Text\\Windows input text.exe\""	Windows input text.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 3 IoCs

Processes:

e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exeWindows input text.exeWindows input text.exe

description	pid	process	target process
PID 3472 set thread context of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 4632 set thread context of 1752	4632	Windows input text.exe	Windows input text.exe
PID 1752 set thread context of 2276	1752	Windows input text.exe	iexplore.exe

Drops file in Windows directory 7 IoCs

Processes:

e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\Microsoft Text\Windows input text.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
File opened for modification	C:\Windows\Microsoft Text\Windows input text.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
File opened for modification	C:\Windows\Microsoft Text	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = cd88d8546204d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{0D70A375-13AE-4C08-81E4-5A6FD885952D} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000007af3a15b542c5bcc40acda5777a50a185a4a5f7cabb7e3b9c95b3f7625ab2185f908bb640b0d7dda3fab3254dacd6bcdd57184ff55612a59a7ffffe53ee06ef5bd0ae6e3432738c715fd8bbe81f67eab43961804481379926988e0fcf965da9ed0198477481ab644ddc4d4dbefc034d3f6d78a54e16eb87b2016121b63dc3d7a9a553eeaf585f2d0e4205e6717cc6b377e566ed849132f2181c8b7ce6ce4aec7a3decdc9930ac6ed57327ef209b820853532dcd6f4a08fc383c0e919f71c20389dd4afd1e848e0e543187f8c0125371fcf8acc045fb7eea5551d5f056a26203983571d22efdf3d24fef3b7c2cab3b52857808c6881f69d6b40ff518603a1b042ba87dc49956f451904e456ebc302739fee329c07d3fe8b092786dfb3dc2ca83aec84051d149817b52b099cf5bcb203854bc22f6822704d42b1d10748306998e7f56e396058fa6369e783e85666645f1ecd4e2de0edea23b4ea02bb7988f66173f4651d3d0235c4c091724e4454b6903553f809b9440e157a1238701bd1753afba989228f40e91b8847f71c442a49ca7dbcde471e877ab35862e401573cfd2905b59646dc2ed2	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = d581f14b6daed801	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = d581f14b6daed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{E2F4E102-2CB1-426C-9C27-6019E26A7ABC}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c4d6db4d6204d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{23C8F040-7000-4813-9C69-03F33AD1F4FD}"	MicrosoftEdge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

3168 reg.exe
1116 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3904 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Windows input text.exe

pid process

4632 Windows input text.exe
4632 Windows input text.exe
4632 Windows input text.exe
4632 Windows input text.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4012 MicrosoftEdgeCP.exe
4012 MicrosoftEdgeCP.exe
4012 MicrosoftEdgeCP.exe
4012 MicrosoftEdgeCP.exe

pid	process
3168	reg.exe
1116	reg.exe

pid	process
3904	PING.EXE

pid	process
4632	Windows input text.exe
4632	Windows input text.exe
4632	Windows input text.exe
4632	Windows input text.exe

pid	process
4012	MicrosoftEdgeCP.exe
4012	MicrosoftEdgeCP.exe
4012	MicrosoftEdgeCP.exe
4012	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Windows input text.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	4632	Windows input text.exe
Token: SeDebugPrivilege	4036	MicrosoftEdge.exe
Token: SeDebugPrivilege	4036	MicrosoftEdge.exe
Token: SeDebugPrivilege	4036	MicrosoftEdge.exe
Token: SeDebugPrivilege	4036	MicrosoftEdge.exe
Token: SeDebugPrivilege	3820	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3820	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3820	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3820	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3176	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3176	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4036 MicrosoftEdge.exe
4012 MicrosoftEdgeCP.exe
4012 MicrosoftEdgeCP.exe

pid	process
4036	MicrosoftEdge.exe
4012	MicrosoftEdgeCP.exe
4012	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exee4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.execmd.execmd.exeWindows input text.exeWindows input text.execmd.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 3472 wrote to memory of 4224	3472	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
PID 4224 wrote to memory of 3044	4224	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	cmd.exe
PID 4224 wrote to memory of 3044	4224	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	cmd.exe
PID 4224 wrote to memory of 3044	4224	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	cmd.exe
PID 3044 wrote to memory of 3168	3044	cmd.exe	reg.exe
PID 3044 wrote to memory of 3168	3044	cmd.exe	reg.exe
PID 3044 wrote to memory of 3168	3044	cmd.exe	reg.exe
PID 4224 wrote to memory of 4844	4224	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	cmd.exe
PID 4224 wrote to memory of 4844	4224	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	cmd.exe
PID 4224 wrote to memory of 4844	4224	e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe	cmd.exe
PID 4844 wrote to memory of 3904	4844	cmd.exe	PING.EXE
PID 4844 wrote to memory of 3904	4844	cmd.exe	PING.EXE
PID 4844 wrote to memory of 3904	4844	cmd.exe	PING.EXE
PID 4844 wrote to memory of 4632	4844	cmd.exe	Windows input text.exe
PID 4844 wrote to memory of 4632	4844	cmd.exe	Windows input text.exe
PID 4844 wrote to memory of 4632	4844	cmd.exe	Windows input text.exe
PID 4632 wrote to memory of 808	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 808	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 808	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1792	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1792	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1792	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 4632 wrote to memory of 1752	4632	Windows input text.exe	Windows input text.exe
PID 1752 wrote to memory of 216	1752	Windows input text.exe	cmd.exe
PID 1752 wrote to memory of 216	1752	Windows input text.exe	cmd.exe
PID 1752 wrote to memory of 216	1752	Windows input text.exe	cmd.exe
PID 1752 wrote to memory of 2276	1752	Windows input text.exe	iexplore.exe
PID 1752 wrote to memory of 2276	1752	Windows input text.exe	iexplore.exe
PID 1752 wrote to memory of 2276	1752	Windows input text.exe	iexplore.exe
PID 1752 wrote to memory of 2276	1752	Windows input text.exe	iexplore.exe
PID 1752 wrote to memory of 2276	1752	Windows input text.exe	iexplore.exe
PID 1752 wrote to memory of 2276	1752	Windows input text.exe	iexplore.exe
PID 1752 wrote to memory of 2276	1752	Windows input text.exe	iexplore.exe
PID 1752 wrote to memory of 2276	1752	Windows input text.exe	iexplore.exe
PID 216 wrote to memory of 1116	216	cmd.exe	reg.exe
PID 216 wrote to memory of 1116	216	cmd.exe	reg.exe
PID 216 wrote to memory of 1116	216	cmd.exe	reg.exe
PID 4012 wrote to memory of 3820	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 3820	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 3820	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 3820	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 3820	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 3820	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 2708	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 2708	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 2708	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 2708	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4012 wrote to memory of 2708	4012	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
"C:\Users\Admin\AppData\Local\Temp\e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe
"C:\Users\Admin\AppData\Local\Temp\e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
- Modifies registry key
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:3904

C:\Windows\Microsoft Text\Windows input text.exe
"C:\Windows\Microsoft Text\Windows input text.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\Microsoft Text\Windows input text.exe
"C:\Windows\Microsoft Text\Windows input text.exe"
5⤵
- Executes dropped EXE
PID:808

C:\Windows\Microsoft Text\Windows input text.exe
"C:\Windows\Microsoft Text\Windows input text.exe"
5⤵
- Executes dropped EXE
PID:1792

C:\Windows\Microsoft Text\Windows input text.exe
"C:\Windows\Microsoft Text\Windows input text.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- UAC bypass
- Modifies registry key
PID:1116

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:2276

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2A7MW8A2\application-not-started[1].htm
Filesize
42KB

MD5
d4e256bcf36c6a6281352e1a88df9f78

SHA1
c4ae3690ea5200a86db8d17c26c5b7ed8e7b5384

SHA256
b2bf55793df6f7ea3dc47b551d432a162b1a06966d46a4921a14db6f3727a8ba

SHA512
bd1edec1469ac29f59be45c8ec779dc3c65206c53036d5f0375a0e1e22f4f90708519815e5e337baa46e5b11924c1a33676d195059c48e461739f29ca0889fca

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2A7MW8A2\docons.29bd7c9e[1].woff2
Filesize
14KB

MD5
094518f4ab9fd6113192ee7a3e91492d

SHA1
253573646c32cac13a93f1ef85948ad958d5b740

SHA256
47ed576194872391fe57690fd7418d03051502930b6b5bb4eab5b96e5c592496

SHA512
51962f252af48a017334a187af98e88827fd6e6ff4268c10a2a2c4a30e8046e2687f16482d82edf13c8a6574062e23e7b9da1ab3adfba26a270c419ea1a26d38

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2A7MW8A2\ms.jsll-3.min[1].js
Filesize
178KB

MD5
cab91ff466755efcfa1d8382745fe74f

SHA1
62eb6f132eb7f324bd3aab6de2cdf61925deb553

SHA256
cacd215430aa66f1391abd136f23ddb729b3fe44c6385a43b62d7a9e8479ea03

SHA512
b0ce8fbc6e83ad21fa1a8778b9ce46be0b27c1dc773dc795ba0ab2e7b0c88269260d5ff98685a99b636e08cd3b81a7c059d6c78aaa37e0a63528da7927795296

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2A7MW8A2\wcp-consent[1].js
Filesize
272KB

MD5
5f524e20ce61f542125454baf867c47b

SHA1
7e9834fd30dcfd27532ce79165344a438c31d78b

SHA256
c688d3f2135b6b51617a306a0b1a665324402a00a6bceba475881af281503ad9

SHA512
224a6e2961c75be0236140fed3606507bca49eb10cb13f7df2bcfbb3b12ebeced7107de7aa8b2b2bb3fc2aa07cd4f057739735c040ef908381be5bc86e0479b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\35Z4XZ5R\SegoeUI-Roman-VF_web[1].woff2
Filesize
115KB

MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\35Z4XZ5R\TeX-AMS_CHTML[1].js
Filesize
214KB

MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\35Z4XZ5R\latest[1].woff2
Filesize
26KB

MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OSSZ158I\1a849052.index-docs[1].js
Filesize
1.9MB

MD5
aec731ee465ec08fc76736b2906f76b8

SHA1
b35f75cfd3078654a38c3cb8e4262cf6af24e422

SHA256
ae78027f2106e9ad63993af8791207032ddac6daabc4fcbeade168268cb2f917

SHA512
0f9449ac31fcfaee61e4eb74d43b29b6c6cf72d782539644b454210d3cc75dc74ec305480507702dabc2e359e7e74ef64dba5f0aeb950b9c47abd9da10ce6873

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OSSZ158I\67a45209.deprecation[1].js
Filesize
1KB

MD5
020629eba820f2e09d8cda1a753c032b

SHA1
d91a65036e4c36b07ae3641e32f23f8dd616bd17

SHA256
f8ae8a1dc7ce7877b9fb9299183d2ebb3befad0b6489ae785d99047ec2eb92d1

SHA512
ef5a5c7a301de55d103b1be375d988970d9c4ecd62ce464f730c49e622128f431761d641e1dfaa32ca03f8280b435ae909486806df62a538b48337725eb63ce1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OSSZ158I\8f869e87.site-ltr[1].css
Filesize
467KB

MD5
e62eeb3f52ba733330df1ff1518dfc03

SHA1
25e9e7adbecfb1680c6f6574493c960bdf860251

SHA256
87c19eab72cbcf6942ee9e48cfb0e344f8d16b683229ef4a34dbfa8687ca8150

SHA512
306f945392feb0709f0dacaa919859e15c22d4425b8339865fab384b9b31432d04552ecbf7a4960f61f03160831050918315d89a8f0acd0cd755c33b40fc37a9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OSSZ158I\app-could-not-be-started[1].png
Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OSSZ158I\repair-tool-changes-complete[1].png
Filesize
13KB

MD5
512625cf8f40021445d74253dc7c28c0

SHA1
f6b27ce0f7d4e48e34fddca8a96337f07cffe730

SHA256
1d4dcee8511d5371fec911660d6049782e12901c662b409a5c675772e9b87369

SHA512
ae02319d03884d758a86c286b6f593bdffd067885d56d82eeb8215fdcb41637c7bb9109039e7fbc93ad246d030c368fb285b3161976ed485abc5a8df6df9a38c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OSSZ158I\repair-tool-recommended-changes[1].png
Filesize
15KB

MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VAZM7KPP\MathJax[1].js
Filesize
61KB

MD5
7a3737a82ea79217ebe20f896bceb623

SHA1
96b575bbae7dac6a442095996509b498590fbbf7

SHA256
002a60f162fd4d3081f435860d408ffce6f6ef87398f75bd791cadc8dae0771d

SHA512
e0d1f62bae160008e486a6f4ef8b57aa74c1945980c00deb37b083958f4291f0a47b994e5fdb348c2d4618346b93636ce4c323c6f510ab2fbd7a6547359d28d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VAZM7KPP\install-3-5[1].png
Filesize
13KB

MD5
f6ec97c43480d41695065ad55a97b382

SHA1
d9c3d0895a5ed1a3951b8774b519b8217f0a54c5

SHA256
07a599fab1e66babc430e5fed3029f25ff3f4ea2dd0ec8968ffba71ef1872f68

SHA512
22462763178409d60609761a2af734f97b35b9a818ec1fd9046afab489aad83ce34896ee8586efe402ea7739ecf088bc2db5c1c8e4fb39e6a0fc5b3adc6b4a9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VAZM7KPP\repair-tool-no-resolution[1].png
Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
1c48a8316ed2f2d1a1c3479114dd32de

SHA1
db2f23e63518dccb69309b5c598f17a3513a51a0

SHA256
e858c2af8b04b94ce090c36b3a235b776ba99125cf522ea80e57d76eb97d3449

SHA512
cc5030bc65c8b8fe822422208a82122d88c82ea96e86b40047c76b371fa7703447254a189ac768708f0e70093f41dd078bbfb4d3bca584eebaf28394668d32ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
417e1972d1395631b20642d8f448d385

SHA1
212c72664b5e30a46a8719a2d79ba3fb4010f805

SHA256
97a7784a51f994dfd42a91951bd87478f6881c84909f6ed922f6da136868f1f1

SHA512
68b6dd0ddb460aa850165ef7c0de5eb530f3e27760f5a89df2aff43991486e0a6ebd44b5414c1d742581d9852c96397a3ccfd19e9264048b43abdaa6f3c0b17c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
442B

MD5
d0b614841a5599e172583ff476df7676

SHA1
d9e6dffe445bbed83f7da24d7d99ed999808f516

SHA256
c816716193130ff3809962d62c1951fdc5f73eec69683eefbd150231c529c664

SHA512
b94dc16c156929a12983bf903fa45c48a07d269b3c9845889bea2e4c5cb8afcebc1dd9943f3549451e29b78700ae323330a9df534187f76dd27c28034679903b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
0fd00b76fde01a7180e04f138be22f0b

SHA1
07860c4b00502e73fcd91553de06cc0b68d1c728

SHA256
69225486ece368eeeb16bdd3717fe8b3888e80fd96147d84beaefb3894a71c19

SHA512
eeb480142eb06c17732f2bb4dd84916b9429147ad3121987b0a5d2453371820e721d65f617280a22dec37bff47436734e832287cca4c1d2b4ff0ee5c37c8f7e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
99B

MD5
cd13321bdef41f7575c97a6c302668c1

SHA1
f7de6ac53a6914dde55fe408c67ec934686ecc9f

SHA256
2e7ff7169fe44c0360335a47264f1963bb65ae1ca3f93a20922074f143491dc8

SHA512
75ea823f45820f7bc118f8f982faee3b4ede68ab42958723647c356b9f667026d37c75702f4360bc38e19b44efbf4d9bf574e8b65f6a8ef37139216041ab234b

Download Submit
C:\Windows\Microsoft Text\Windows input text.exe
Filesize
754KB

MD5
d963ac1435b96872ea5380743976002a

SHA1
5f043557947581d52642d2622ea88e3d133861bf

SHA256
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6

SHA512
24ca9faa7c4af577ee1cf5e5966968eab5a1c186eefdcb351efd59e6310103b5180ab931446c4b37f9a3ed834bd39a876585d2b8755cf49356afdb2d25ed7648

Download Submit
C:\Windows\Microsoft Text\Windows input text.exe
Filesize
754KB

MD5
d963ac1435b96872ea5380743976002a

SHA1
5f043557947581d52642d2622ea88e3d133861bf

SHA256
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6

SHA512
24ca9faa7c4af577ee1cf5e5966968eab5a1c186eefdcb351efd59e6310103b5180ab931446c4b37f9a3ed834bd39a876585d2b8755cf49356afdb2d25ed7648

Download Submit
C:\Windows\Microsoft Text\Windows input text.exe
Filesize
754KB

MD5
d963ac1435b96872ea5380743976002a

SHA1
5f043557947581d52642d2622ea88e3d133861bf

SHA256
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6

SHA512
24ca9faa7c4af577ee1cf5e5966968eab5a1c186eefdcb351efd59e6310103b5180ab931446c4b37f9a3ed834bd39a876585d2b8755cf49356afdb2d25ed7648

Download Submit
C:\Windows\Microsoft Text\Windows input text.exe
Filesize
754KB

MD5
d963ac1435b96872ea5380743976002a

SHA1
5f043557947581d52642d2622ea88e3d133861bf

SHA256
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6

SHA512
24ca9faa7c4af577ee1cf5e5966968eab5a1c186eefdcb351efd59e6310103b5180ab931446c4b37f9a3ed834bd39a876585d2b8755cf49356afdb2d25ed7648

Download Submit
C:\Windows\Microsoft Text\Windows input text.exe
Filesize
754KB

MD5
d963ac1435b96872ea5380743976002a

SHA1
5f043557947581d52642d2622ea88e3d133861bf

SHA256
e4329b591798ee38b653024b171393393381df6881aa561bf70f0f2255c533f6

SHA512
24ca9faa7c4af577ee1cf5e5966968eab5a1c186eefdcb351efd59e6310103b5180ab931446c4b37f9a3ed834bd39a876585d2b8755cf49356afdb2d25ed7648

Download Submit
memory/216-407-0x0000000000000000-mapping.dmp

Download
memory/1116-415-0x0000000000000000-mapping.dmp

Download
memory/1752-364-0x000000000040FD88-mapping.dmp

Download
memory/1752-413-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3044-228-0x0000000000000000-mapping.dmp

Download
memory/3168-238-0x0000000000000000-mapping.dmp

Download
memory/3472-144-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-138-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-151-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-152-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-153-0x00000000050D0000-0x00000000055CE000-memory.dmp

Filesize
5.0MB

Download
memory/3472-154-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-155-0x0000000004AD0000-0x0000000004B62000-memory.dmp

Filesize
584KB

Download
memory/3472-156-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-157-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-158-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-159-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-160-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-161-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-162-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-163-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-164-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-165-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-166-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-167-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-168-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-169-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-170-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-171-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

Filesize
40KB

Download
memory/3472-172-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-173-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-174-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-175-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-176-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-177-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-178-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-179-0x0000000004EB0000-0x0000000004EC6000-memory.dmp

Filesize
88KB

Download
memory/3472-180-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/3472-181-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-182-0x0000000007050000-0x00000000070A8000-memory.dmp

Filesize
352KB

Download
memory/3472-183-0x0000000007150000-0x00000000071EC000-memory.dmp

Filesize
624KB

Download
memory/3472-184-0x0000000000980000-0x000000000099E000-memory.dmp

Filesize
120KB

Download
memory/3472-117-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-118-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-119-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-120-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-189-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-149-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-121-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-148-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-122-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-123-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-147-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-124-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-125-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-146-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-145-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-126-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-116-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-143-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-142-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-141-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-140-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-139-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-150-0x00000000001A0000-0x0000000000260000-memory.dmp

Filesize
768KB

Download
memory/3472-137-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-136-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-135-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-134-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-133-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-132-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-131-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-130-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-129-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-128-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3472-127-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3904-273-0x0000000000000000-mapping.dmp

Download
memory/4224-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4224-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4224-188-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4224-187-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4224-186-0x000000000040FD88-mapping.dmp

Download
memory/4224-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4632-358-0x0000000005170000-0x0000000005186000-memory.dmp

Filesize
88KB

Download
memory/4632-296-0x0000000000000000-mapping.dmp

Download
memory/4844-258-0x0000000000000000-mapping.dmp

Download