hxxps://mftx-zgfm[.]maillist-manage[.]com/click/1f9adfaf12809e62/1f9adfaf123445de

Resubmissions

27/06/2023, 13:47

230627-q32g8sfb4v 4

27/06/2023, 13:40

230627-qyt8csfb3v 4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2023, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mftx-zgfm.maillist-manage.com/click/1f9adfaf12809e62/1f9adfaf123445de

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\53040621-ee93-4d39-80fc-5cc75984490d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230627134832.pma	setup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2608	WINWORD.EXE
2608	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
540	powershell.exe
540	powershell.exe
4404	msedge.exe
4404	msedge.exe
536	msedge.exe
536	msedge.exe
5044	identity_helper.exe
5044	identity_helper.exe
5052	msedge.exe
5052	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	powershell.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2776	536	msedge.exe	87
PID 536 wrote to memory of 2776	536	msedge.exe	87
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 3652	536	msedge.exe	88
PID 536 wrote to memory of 4404	536	msedge.exe	89
PID 536 wrote to memory of 4404	536	msedge.exe	89
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91
PID 536 wrote to memory of 1036	536	msedge.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://mftx-zgfm.maillist-manage.com/click/1f9adfaf12809e62/1f9adfaf123445de
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://mftx-zgfm.maillist-manage.com/click/1f9adfaf12809e62/1f9adfaf123445de
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff57c746f8,0x7fff57c74708,0x7fff57c74718
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1896
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff74af05460,0x7ff74af05470,0x7ff74af05480
    3⤵
    PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,1753429753244442956,1550893602147602829,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3180

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Revised Sexual Harassment Policy FY2023 - Copy.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
e79f3878f69965bd5d8ce5e160b9f3a3

SHA1
135e2bb550123425e6d9960499056e067343f1f6

SHA256
de8037ccfe61abfc6160854f230051bca7a67c94b602888256ec5232dc0b996e

SHA512
30f7d6f9f28b901892f62652c90e325060fcc6ddfc89e144249e4e07b56d14424888598d6520ce9a9b41c792218c516a076841e36033e9b1f2b359ad85c0d8b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
416B

MD5
715156f54c1062288ead451ca5a95f26

SHA1
16d4dfcba0be024b66d2817c27cb45404881fd75

SHA256
7977e90e30132c869b415488caa1bb57b74f10008a2e91494b38b32dd5b74df7

SHA512
20ec7a0565c175a1e8c2a5b6bbe7ca150c8c4811fe0af45cbfc05d6ef81d21bb35cc65fcb1614df5dd0df8e79a5f64b4b49d81a995ddd6ef7cc442c26e649ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2d4fe7b4-cc99-40d0-91b4-3f8c40e7e5bd.tmp

Filesize
9KB

MD5
1e73d2f2b5b59a58176819ed858219be

SHA1
47d48b5de484a1c24d216e6c261d144dcd19c58d

SHA256
0be28e3ecdc76beb006bcf5385e88d9f4d7dc778e1c74767ce1c28d254ac1010

SHA512
5955ae213284397f401b1441dd84604cd1c3ba18be21caebfb1151d56c234f0233af440f000b271d833d59b8fb510f5fc1c5b78d62e1b62a849a9091c0f95209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
610003c56a177b0384d6fb52bddd79da

SHA1
dee64128972597ba8c0ae9f4ac502c1065c670d9

SHA256
750ed9c6bf8f2155b43e1e9684ab39c383ef2bdf375ae7820a488b59f0495877

SHA512
c8394769c6ed907ba07a087ee29c62e61f1aa490cc11a431831010221cd789a8f8a8be33c8894e76dc1bbeea7c512b2ce6db76427c470c1a74c9d5bfd3ef6298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
055413454fe994a1f2a4356edeffe33b

SHA1
4d85afe3b54e1f79e8fc882fbd37dc89bccaceed

SHA256
e6e9f98b886ea24be09b9630e64d2b666d34723c5730aad53d1dc6ecb2859425

SHA512
865bc1dc6e679d5022f9308adc4908b4e75733c960fcd727dbb4e033a7d1a58b76e2dbd0a80f0fecc4d4086d12736204ef4df9e14f338a777505bd49569309e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6e6a6d28ad5126482baa31dd17624482

SHA1
483c8aaa630f4a71370ed0bfe06b0f1907c51257

SHA256
3490c1527182503bff54aa08a282ead4563deda7b5b4bda676188891285febc5

SHA512
b6d485acf490c3872ef287bb8cfa0baa59d93b3c2768f7838e091b16cbaf97476e893edc35a7cb02072bfd9546dd60f5fe1e5b5e32e7437b9e70ac08ccee4f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
7ad5532d48174481fb41bab02f19e58b

SHA1
a9f7446c9b8b0175f753274d35ec468228f0c706

SHA256
ac83a28bef8e451f2ba33212b1b3c6f1956507615c8933b42cf6f441dadd8933

SHA512
93321587e046627740a32c8993f619e563103279d6290189be8d90a95a9ba62d56a1a233b34941ad4889fa2db16a6bc8733fb82f72484cc8cf9af1bf79a69b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
be5d6ff8d99dae423ff6d83c3fdce989

SHA1
4d784095d884f22227cad82e904872be0eef9838

SHA256
c1b72751b5372c512aa0e21d07550c55bdf7be4494dbbd760998488c75080dfe

SHA512
5ab24bbddbd75df75999d5b1708a254d5b57039253934ec6305d338feed166a298d29070c2878979dcb3d539871b7632400c097da76630eba3513d20f290f0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
610093dd1c1d24b1b074d5e18f3b0dd6

SHA1
ccca44a044019da85dea03948d592f77dffb2892

SHA256
e59e07f9df4e4d2a9fd1ed98dbc59af81063e98b8154f6e951f8a623e705d217

SHA512
8da2abedd15ea383621a8b96156900391cd212974f250cf92de53d9267accebfaf10290597d3254f9accc472108992d3769eaffaad98196ed1d7b0a6c9db4cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3a0c169d38655cc681f971f97d84ba97

SHA1
40fc5a1e1f7dc41a62ab05b1831b66588565599f

SHA256
833a0eec1b07579bbe5e699958d7a85ece18849afdf31977386636fe8782fe00

SHA512
354d3e0ecdd423a3a114e36feda0e008d67da5a3a2c7a11680285cb26378120ad2f601374c55fa9ec15536be5726b0128dded8498dc49ed183320a82e51e9146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4e3c07cfb5956a8dc9ae1e3db1af72d

SHA1
8dbd8f495a960ba9208166e87cf53524d31717a5

SHA256
e024430bb4714e2c314f02417ead5b23adc97497d95e75137aec156f4cf79b5f

SHA512
d90e5ff2230889c66434c2d67546cc4f5f2e0640fc616c541ce117df2a41da3eb93b1a43da901aec4898c6a4dda6643d7abf1fb1ef76011dc6effd95518109d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85e9dfaaa942f5577d43d4481813f882

SHA1
310f8e2d412eb775a7b26ca57273516109763c9e

SHA256
e71f2d4dea2c010b67e2107b2096cdb96a18ee295bcd44793e4836d7fea843aa

SHA512
66594ebe58c127bff7afa494658a6d64b9aad842a3990d63da47342961c5a179ac701ba68e242ba2a94025e82fce236e6b83fc721ea55625b5f684861daaa485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae4f13b6a537a9d76e68455d31d262fe

SHA1
95fe8cb00c674c8893754f1f6cf92cd2bbd4a37d

SHA256
8fad85b49b63aebbdcae8d401b0467361ed8de5f5be3dc1e58a3a6c232581066

SHA512
9881b4bb7d2ff23cabd582342986d28e4d1d0a452b8ebce4032b4d7c1ea5600e6b73739362145b5beb064448092dfd3a8f53864f926977834ac28a6a8437b764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
234982a32e4721bf2a5ce26a3b218e14

SHA1
b8d5e76a570951d6a340a27e8bbd80c0b959b2e6

SHA256
eb37348c0f4a2a7ac6c0da82c70d767927113645db147a576b0bb95928d6646c

SHA512
ec2762f9db5957e0aeef2b3308a847d3a0bab37b35549dd418de1b5538d18607113102eb86a0b7d0bb34b812d9e23e15c773fc6b28ece404430051c3abbe2e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b19b048548718e5ec507132a64ae96af

SHA1
95b7e9da11ae6d6abc367e8a37e3bcc203eeedbf

SHA256
b48eb5eb7e44576078ed25adfa3f819949a29cda229776860aca77c19107f892

SHA512
942d72f9f25550a31bcaf134f41c612f08392adc112d9d58e4187bca76f26d7e012cdd0bffadb1dce574254a6474ee604ca8dff2335d812566fc0fdb1155124d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4fd054c69665ea437b1a20e418c64443

SHA1
e8d9eee4354ebfe06180117f718441784241577e

SHA256
3019dfc3ad41088ef51f0c69004e66fd2e97176ca542fa07cad3ed9b2c00eaa5

SHA512
8b2067e825a1cbb619519a1d07ecca6aed7751f7690042108a6cc48241a734f1e0d1f027baa07d6fe27ad58c5dd7da41a0daa749edd2a0c18921cece1b08e12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
80502c26dc4a40d886feb60cdae191e6

SHA1
ce52e2e3e2d2739ce44ebbf40e333b12fb252207

SHA256
e283813e7208e9b850140da46e628e03fc80f2d29c1cb7f315e34770d81f26d9

SHA512
1bd7e27889276e764fd48423100e7d0847cebda0d89126cf3846b32a76f9691e8a34bf5d772cdf809e24588bfcd65c2fa7982e7bd4a3b2bcafe0b30c72f8eb88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c81cca7ed19ea14eeffc843aff036c3b

SHA1
db72c451270e1c877b6e7eaa3d719a1f0469557e

SHA256
db29d66b4fdf37bd80f4c9cfdc8ee6d84739f849a8389286a985d65fc675fc31

SHA512
d8f458667996375cd9cc21b07a1b7008ec643256d728b07a4de8679bde6366e9f1c95d110a3189b5971e22984d560fa69e1cdd0471a52466ceb60449b0ef15eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1c9c13a21847ddf1b3214652f901ae48

SHA1
a07ea14edaad52e2a641ebf7f2cc8ad182f06030

SHA256
5234c6a46e4a842d7531c5e2d2a15a83c9e6937c27b9bfc56daaff3a0ef8dc8d

SHA512
b27a1aa467b51dae74bcec0b84889007df6018c71148ed9ab22ae0b2b8c80db3a2bad35310eba4b537dad44cf977d5f182e28b5964b8498ead45d0f312133b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
f8de7e4b824e7b2c23a4168723d912ab

SHA1
78795860167c2fcfd68fca29638be006e8fadf3e

SHA256
aaab88f4c3ab7a4e74de88b49d52a417a421fc58f579782230056318a6800c19

SHA512
b4933e1408105e8cd51a177f7150e5d2e78437b6fd11a7bbf61862032e58439b736960bdadb08c9384ab4e9e83e8f07549a9003f0e5e28096de8274548575f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
152381084c2e03b46191dd5fc684ad09

SHA1
dd23aa76489e2d31349120016629603437ae31c9

SHA256
7771296f405006b082efd9c4b7c44ec4d7c110e3b4b5b76a1ffacb44606f4cf5

SHA512
4a3662cfe08b9258ba73415521c934c3b3a844bd0ad25b0be0de744e9bc0ddc5ee14d4f78b0a2e989569329230a6414046473b1ca4254c3dec46029262e735c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
af93ee1fdcd8c4e8057eafc07e6ee459

SHA1
734d26859e5562f57900f14697a2782ce3910565

SHA256
1bb3a0396c55aad880332df903498094d8f0b0a009c724c7b2ed2caaa6f7d0f0

SHA512
486f905de95881068204e19850be3457c4fc3445fb6886c31adbde1fea3b6e90d9264f60f86b24330044a39f2d00c6dbd950e4ed76cf1be7b3f16dbd336e726f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe572337.TMP

Filesize
536B

MD5
11f5cdc02712650aa8dbceb376565614

SHA1
de4bd4d743cbca91c3ddeba5cb1450bb0f93776c

SHA256
c5279b2351ce31b2fefed7dd7d87a0d015aa0311b7db57bd751bf511048a8e9a

SHA512
db6382d654ccba8eb097a92e33b31967750af01234dc6fcc0954749714c9d77b054d64ac8451de6182ad147fbfc6c77ff08e9ee8e465d4f464060b13b7742b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
e9cc28eae56c6e071d7b9b8e4029c90b

SHA1
47a25e35dac45a6427d1b33a4674212a8030b77c

SHA256
fc65df0388c5b0ef2dff450b4d9066936e3f6f627495bc30d3b0c2ff5eb74b21

SHA512
af8c31241cb60c2a89659d659d5339f5876c9789726abd2344eed7a578909240294ff56586de37df32b569ca9d62b3baed0e25c43c1ca2b6674f75f603e3e646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
d899382a5edaf7c02eb28c604375673a

SHA1
f94cd9cba2c32afcea794feae11d873ae478c8b0

SHA256
25f9f721e7bd03e9e45de646add2d136bb6a99c3b32d2c9c262343255de247cb

SHA512
5ba2f6244421518c231530fd631dc364b7a825c9049a50cd6cebfc6d55fb1e3a2b1effac7276f43520d257f539325b6e93661a49a54377caee33cc687047f6b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7d6e603cae3fcd2530d12d38108bcd12

SHA1
c34bcacce7031f2fd8e64568d241d3154a322cce

SHA256
a3f6484ccda11a052bd8be52a7e54097c6afff912a6e9a86cd0c3a3e8c2ae601

SHA512
01f1f0948abbc439ea021f69f54bf6ee6bf3816b441cd45e7d59274a59d838206238c3472a9129564c14d4737d9be69e4290ff66ad3cf675b87d971136a0d341

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r45gsmcb.saz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
301B

MD5
e96f651a2c813e63528a39c09f03600f

SHA1
9ae4d220e9c5d48289c2fb73010f8e82c88f03da

SHA256
a985513c045f185f8bbc252b58d685cbef3eb0eb963e4ebab6afbd9409d7b92b

SHA512
8429d2af27561f008c0edb9373e1afd0aedd5cb22491aa0605440133fe3a79d4df4811d65479e440c10a4f3290f5814423013096d00795a1c0cb1f03a4bf50aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
23f6d6197441356b49ce5927a7d07766

SHA1
1cb67e233a1b1e04f5cc43cdb8222b2160324d31

SHA256
5e0ebdfef886c150897e0f2799a22cf16115fe6ea33f9d0331c76f5c9831e861

SHA512
9e3a531ff2efecbeb989fbc7df5c9a690b36bde831155b686b774323655cfeb706c5bc8c9e69717090d9866b7a735af7f7628b315cef912f8d2ad730dcda52de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
de313667b032902eb342d56046157d22

SHA1
dd67f608b4309b71642a30cac8f26a25dba7666f

SHA256
163b5a7c3a1159647079fde2d5ae55d27c97086dcabb9f5f23825e183f8a65b6

SHA512
32c48f3726e59d142cd340cb2761e54c61b08a0eb6e5c33b7d1080ba2096754456515cc2c4b90c25ebc999e337ef9069fd1ec910472405f9e7df6bd11008bb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
e9fc5e3f604bd244afcd668b24112717

SHA1
545b1cc775ad979464613925afc51d023d6e58c9

SHA256
813a5d8ac1d574bf47385826db59ace8de8a55b6e8dac49b5981cdb1f14fae8f

SHA512
b7e4f12557b235f5791916ee77edcee8c26156c89bb2ae84dfa1706e3f87be21da4529b93fc6fc6c9ca80c7bfd5d6657dccf97f2f381a1e6be8c6a9b7f44379d

Download Submit
C:\Users\Admin\Downloads\Revised Sexual Harassment Policy FY2023 - Copy.docx

Filesize
19KB

MD5
2a967e99b267bb93a28c6df4d7671de5

SHA1
c313d50ff61ff1c6080873c2fd5333bb223e8e58

SHA256
6128f0ece9bed688fbc502b9684503c9b0f0e8b3e93c8a5cc6baba74405ca37e

SHA512
2d966d6bc750b68cbc2d4a9d1afe244a64c6573e964c1e2ac4886e0e61190ae3c94da8ff3e6af9af181761ca3256b5557b3c32a30d5e17bae5ecf4db15c17452

Download Submit
C:\Users\Admin\Downloads\Revised Sexual Harassment Policy FY2023 - Copy.docx

Filesize
19KB

MD5
2a967e99b267bb93a28c6df4d7671de5

SHA1
c313d50ff61ff1c6080873c2fd5333bb223e8e58

SHA256
6128f0ece9bed688fbc502b9684503c9b0f0e8b3e93c8a5cc6baba74405ca37e

SHA512
2d966d6bc750b68cbc2d4a9d1afe244a64c6573e964c1e2ac4886e0e61190ae3c94da8ff3e6af9af181761ca3256b5557b3c32a30d5e17bae5ecf4db15c17452

Download Submit
memory/540-142-0x0000019EF6E70000-0x0000019EF6E92000-memory.dmp

Filesize
136KB

Download
memory/540-143-0x0000019EF4BF0000-0x0000019EF4C00000-memory.dmp

Filesize
64KB

Download
memory/540-144-0x0000019EF4BF0000-0x0000019EF4C00000-memory.dmp

Filesize
64KB

Download
memory/2608-532-0x00007FFF362F0000-0x00007FFF36300000-memory.dmp

Filesize
64KB

Download
memory/2608-529-0x00007FFF362F0000-0x00007FFF36300000-memory.dmp

Filesize
64KB

Download
memory/2608-530-0x00007FFF362F0000-0x00007FFF36300000-memory.dmp

Filesize
64KB

Download
memory/2608-531-0x00007FFF362F0000-0x00007FFF36300000-memory.dmp

Filesize
64KB

Download
memory/2608-534-0x00007FFF33B80000-0x00007FFF33B90000-memory.dmp

Filesize
64KB

Download
memory/2608-528-0x00007FFF362F0000-0x00007FFF36300000-memory.dmp

Filesize
64KB

Download
memory/2608-533-0x00007FFF33B80000-0x00007FFF33B90000-memory.dmp

Filesize
64KB

Download