agenttesla | cc744204664bbe57a739b6dc9ea221a6480c7331677c208b05b451bccd31a102

Analysis

max time kernel
1747s
max time network
1752s
platform
windows11-21h2_x64
resource
win11-20231129-en
resource tags

arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2023 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoof/WindowsFormsApp2.exe
Size

498KB
MD5

077abb82b84ddc20f64c1fc01bd48b87
SHA1

69a7f39503ec50d9305344cb09f2ab1afd736f7b
SHA256

c7e2265f4e6bd4a1ed9dc47f04c213a893ecc799ad61e407320cfe928b317093
SHA512

38002751eaec363e9890ec398d3f6975bf84823fd98ceadbaeb540a3b1ae38e948be912316fb61b7253d4fbada6f8bc527e4072ff68baa20c12b661f3d517f68
SSDEEP

6144:fy64DBFSbj/fG2uGAKsGAKsGAKmGAK1ino4IL52GAK1ino4IL52GAK1ino4IL5:gFym2uGUGUG+GsnoQGsnoQGsno

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2788-6-0x0000000005A60000-0x0000000005C74000-memory.dmp	family_agenttesla

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWindowsFormsApp2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WindowsFormsApp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WindowsFormsApp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	WindowsFormsApp2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 7 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
5116	msedge.exe
5116	msedge.exe
5088	msedge.exe
5088	msedge.exe
2168	identity_helper.exe
2168	identity_helper.exe
756	msedge.exe
756	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WindowsFormsApp2.exe

description pid process

Token: SeDebugPrivilege 2788 WindowsFormsApp2.exe

description	pid	process
Token: SeDebugPrivilege	2788	WindowsFormsApp2.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5088 wrote to memory of 3756	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 3756	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 2940	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 5116	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 5116	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 496	5088	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Spoof\WindowsFormsApp2.exe
"C:\Users\Admin\AppData\Local\Temp\Spoof\WindowsFormsApp2.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcf4513cb8,0x7ffcf4513cc8,0x7ffcf4513cd8
2⤵
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
2⤵
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
2⤵
PID:496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
2⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
2⤵
PID:352

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
2⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
2⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
2⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
2⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
2⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1880,2513320934167945781,18093673048577499290,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db2e4d9e346a898461d3dd73a9bd1489

SHA1
ed0676dbbdfb85caa47514b1ed9bd1686e2b5973

SHA256
63ec89c40c09cda645f11eed75b85d332b5898d774d56ac761f511a36216bbee

SHA512
64979cc44300f1b648c1fe78b4a272fcdfcfd3e2f2b50bc6c8a780aaa074916cd2061b45642f719a2d9790d3dee7bf159e59081eeccadca38a1a5c638efebd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8b541db2-5ec7-4c60-8e2f-4880ba1f4921.tmp

Filesize
5KB

MD5
cf3f7d1738a07692550e62a8bbc06e91

SHA1
624e390fa1268d41694c73405ad6ec64b58e3d43

SHA256
888261f004289ce594da064d895f82751aabaf0d38d6df31f939b2706334c18d

SHA512
0e2161a32f39481978a66f5a48b43e8f74b6eb80863689abfdba1ec59041aac454b9018911e52787bbca0743ac855957be13047bdd65a9135bd09ab41e9d6c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8592483bb0574571222c2159c60046b5

SHA1
27a869c615f4ec8e3587c8788427256b4a01cb5b

SHA256
1a577c567f7fe99311844f993a79a92d0484aaff4a54a1f02f858378ae9c6837

SHA512
46d72355210f2d79563cc1b2751639913a6377591cd2c97873e7840f0d6963ee3fe1787bd601aa894265ee5b6c20b6020d563d9fa6061bc836dcca8da98cefc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7029b6df54a782e78ce5f8c247e0520d

SHA1
e0f41a45304ba240e51a4593c0b210fd48d49273

SHA256
078f8358cad165557dae25019bb0530b7b476ef9e935dfed03412785ab0a21fe

SHA512
7951d703c47d6dcd7d232276881b4166e3d4897f6961e59768f2423ecae309d5a2371d1d8f2881a4bccff593b73fc8a993cfae3b045e7ac3be5ac35488a4565b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
916B

MD5
f86a0e24bd2c211deb7855f2e11fa79b

SHA1
6d2f1a4c2c16bfe4b05e93cac9985832e83e47e6

SHA256
c22335e4ef1c3ae786d2df210f57910d565bcc39bb4adf46aa985c4fbe0d1ff1

SHA512
ef50df1a858cb8da724d00ecb4872c39c3c492d024cc3a41201dc2020ffc3f270a47a9754f058dac0575c92447081c46755d9f2cd6d4a5c102b44acaa960910b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
987B

MD5
ad61cde5da426e8bd7d6bd352cad65fe

SHA1
165e4c43d138044dae865d54f4b1a0137fc91fcb

SHA256
511024f13ff2853b17ad486b12c1b0487ccad209ccba8c985f6c171d69456018

SHA512
cea75b33e7fd191d1d455c3e8faecbb04d9b2786856c56f36f0b78e38a01eee7889a8bbff7e958a2a56f1a27913ab11613d43466c4d3a309ac0986bbcd871582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
a907ad399e04a7c4307580c2962f4f8d

SHA1
e8372a700699fde6ed859b805b8100533611eaa8

SHA256
2fefa39ece879879584582233670de82b8a31c4bf737a3b815eecbe15f0710c1

SHA512
8e6bb8017d86f1c12c96be24862641330e9fceb5293a8ce22d13dc7e634f6116715b243af6aa9dc13a6221e0363f62ca04873d754537cb7d860737ac1be7c6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
68e1aab1d6a6fd73928c98fdc223a5e0

SHA1
f79628dcb004db4faf17cedcbdd24690cec8d149

SHA256
6f252811d35c1295644b11eb21614b32aa9c360dac4d339c3c88934ec9c601ea

SHA512
6658117d43d246b1dd1860ead8758881fbc6ef794b4c51191d28b8858ded9d8960c2d8c14c7f7d11c75a89b57c67bcbcfa27815598952337aec8e0757dcdbea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5cc0f3a3899fdc7f49beb3cf35562a62

SHA1
8d640f1177215eab9d792014b995b3586d549868

SHA256
dc0d726a5561a0c8306b65173a334a9e2e95cc3e455ba027bc7c089c0f60deda

SHA512
60c53d2c26cebe6e5b84cf6bcf0db3dd57b5ab13acbc566e612787fd74a21bddae25890f137861d5945f0e023965be721408a3801e6488850f538d3bb8480ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d547794a6c3b2237e20e05c2b0e9602a

SHA1
81b86c6577c1852981c371cf16b6e1c1d8c29d8e

SHA256
0aa5d08ef4caf92d7972a6a5c10d57fde8c55b4f4af9a904e0d4214c72a315a7

SHA512
bd81908e1bc0047749938cdec4c6ba833e1fb7025c1698ad66285ae549fb40aeaf3f864c7fbc08cbcf58aab8f6df32ffc52650216be3ec2be9bd335422f1d62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5562b4585fa6bd514813fb8c21703824

SHA1
5231cb8f09a1fe2aca30fc982140dc5b37749e2e

SHA256
ef32ffaf4317f6afa755ddffe5295f4684581875ecd96ab39da7ba3051167db7

SHA512
65bfa7fa52a5b7bc98c40d68484d4403f17c89a84335035f76121bfd558efd2ac86afa552eff29efb2ae5490e915af8f30b39c7be2df4e0fecc71d5e50a5e87a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
c058d43c86c549232b38f4ec339e5f5f

SHA1
d5f2ccc3a00935f7dbc402fe248e62dea3ea80a6

SHA256
5279a4e706dce4b6989d95d10ca1443df59bfcf0986783f6e9685a0b003b49f7

SHA512
19dc392d1cfd9c59e3d8b58a23c28fead2c3af9341e36dc3aca0e5872f9768a368fd886f37df312cb0ff3983cea01ff200c0725062c54197439bafac070f0ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a858cacb74b44674775cf4d9cf3004bd

SHA1
6959ca4b3e746e4fe5f8b706d509293d61038e4f

SHA256
a7f4e35a9195696a988748e24bf4e9a46e0a7458b17273c145f296d62ca906bf

SHA512
febaae34e00efbcaea3aa3d03f11cac821cf7e37c5995920fc3bfdaab1cfef0f36ae5bb4b52bd2a124420e633482ebe979d624115148b2642a024d7d0f912bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a960a999a11781ba00cf6406ca8b967

SHA1
7495e2e2fcfa7797162e8c1dda72b89e71388bf3

SHA256
ad6a86cef7293848732bff155c7cb858d318a5d5e7b7079bf22b42db0124ae6a

SHA512
c67bdd29f6990efcc97f11028bdf314ab11c0dcbc9b979db505e0fdc5d9f178a4f984d8b95e872b63df08b94e25ad607cdea57acf3910841a679ab84a0dfa481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d40cd7047440f3eb0593abe43f4374dc

SHA1
b417842573e2ab222f35d50976e166e2c689ba4e

SHA256
16e0a8065ef64631be5463fa2e0bf911290b1768063b5f650ca78d1d069c65ac

SHA512
f3c88ffa36b9f3de2de30e62aadaa7f3db50b72609c8973680d2c16c038d682a6d06b7ab6e46dcd6edab74b16861ac991319bfe59ede38389d3f8250339306f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0a0a3a73e906920349f50bea86ccd7e9

SHA1
5d73a1354cfc4527cb08bd682004f07a8e2198c0

SHA256
5d1cacb043f35f6504fb29f580c49de2d6b18668c9347cca2158f4a331db7970

SHA512
e5ac4e9bea8fd858c1fab5dc4ba1c6f142db9b0ee8597abf6d6cdb37aa279c3d6b02fcbec8c1d257aeff087671f03659b78365b4c1ed5d2cca35d2f7f01a4aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
61652f35eb10084faeed774d2135a06b

SHA1
5f90f844c6926be0fa70c7a9e028725819e7e85c

SHA256
0f966852115cd71587e35ce3f55f973735f4be2f62e4b6479506b9e5d0d14d1d

SHA512
301d20b7f4834ed42d36fc0276c75458bcfd0db524606134b2dba9bdd6fa7e74b5c4aab00a8a68efc9e3f4f7b223c97636dfca3c01404e3ab1805ca2fe5c2159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4b665d5d8d8b7e222a596fa4201dc0c3

SHA1
ea08a9a1d95ef7496ace884123a9842c0fe93fa9

SHA256
2a64c347bae4f324b7afd35a6c3e5b612c484f62c3419b848672f64bd73f3a01

SHA512
45908ea548208de470b363413e08ce4372eaa09d7f9b303f1e0757005c17548ceacb918cabab271b200f644e41d8e686361a8ab74ac17a7a3b7d88a3a49023a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
33b06e6a1fa8f684c5b373b5f2bc9f35

SHA1
5c1cce21e80d263054e2b956aa20a742aa82d3ca

SHA256
fb8a92c5a96d3438dbb59055d7bad5ef1a0f8252fa35dbc807c24111f56376a8

SHA512
eb7b9a7e47da5ac961282694e6364b44fe2a9e01a22cafa6ab4d19e611dbed5ab96a4acf4ca6d8b5c398f5fa1b0083b93c10e9d3625b1e61b42545d7f5080844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e40efed5c4db17a78b2f741e86efed04

SHA1
9c639ce2f25c46deb7491200b41a5e5f82706187

SHA256
885ec6da5c4058999f56d4fdfa7f11af06032ea97ca26480dca4b485c11f5587

SHA512
ab2ea69b4eed58b0287fecc2f1cc7c353d65d341ce26cbab6fb3752b5db82a1e3cd97c6306da61d42b642039e75d94704a3603a2ba3dbab9e60e59bbac5196db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1448b4d4551563488044024988610648

SHA1
624c76c6f7021aaf54ab9e7283001a9d0e775d60

SHA256
c9c15956a75d967b9ec3f39e1dc7c249363e7b85dc73740a7fe0737509bbb590

SHA512
a4419796b18d5caaac7f617612be9d5ddea1b9f87ffa49219f7c9805b63f4ebb559c3b7ec7573298e314b3a3ffc9932e24177e39bad82ce34d95c4759caac4c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c668fcfdaada0e395afc813348f3da4e

SHA1
23054da56d180a07a46c57e0f2e40e5c4e537278

SHA256
76dd1b79f08ee053a3e33f820d6318fdaa16344ce2a4f41e54971bf732ccdc1f

SHA512
f5f025370ae26e1e0fe4ae7e52c1dbf6c07b0dd95d9f9832389a1e561fa6130a27bfb2216ee36217fb8c0f3cff37be646b2c6f9d8ca26a1a306b0f70c27350f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9b0f46360889e1c871697402314f1e76

SHA1
8208843ce56df37b450fd15d2393e5d14020a780

SHA256
2ba8e8ca365e16427acf5f6814f326c8310f94676d9cca3c3c5360484f77ec56

SHA512
24ee3a5d038f3af7fe7796cfe88575985f5d18ae0a020949e3f4af3e6f2f94eb2be5d37a13d207db4f06d8144c84491116f9ddaf23d3851c7b54f93571ca0686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e606b1b38d7d518c74f0c12187da9dac

SHA1
48af34007ebf1d1ec7f612c0ef3db8bfa2804a2f

SHA256
781d7ab8e77604cf6ded4e113d7e511db7d892f5e09dd086c89bab5d7ff10e74

SHA512
fe31b39cdb3474bc4ce95f9519537590b75d916847ad3958583333a6f7edd2dec54f485513e8f38c556d1fc21246717516e8160c61d03cdd21a8c82d8bb115c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
42a074b11c31eafbaca144a30885eaea

SHA1
7a42343e8303f79e4a68e8340116a0accddee0da

SHA256
de158489efd5d46e4fc6f4536a81211de7203c223874ec5c37f6d8c31bce0914

SHA512
7b461a1af7fb9740b37832e3655b91df3b9469b66505e92cd1e5ee1a2907a4bc6960084bb23068ea1f91758d5ddbef4660562fe4e57342448032226d15af90f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51ef8ac02acb2300856ce985b5385160

SHA1
aa65dac6375a0f630ef7cd49d519114e19eefd93

SHA256
f505ae404f6e821dc7128f863ccfdca784bf224fdeb24bf148b33b5086920d79

SHA512
6546cae208c2d0cb9d674479c0383e9b1d41d03a61c26196fa4a31e795ad1a821a7cc80dbe5aabc576e7054ba95b0df527e436510c4b200a623a80739578eed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed4734aa28978e45ce9a28fd3e48105a

SHA1
d1a16dde3f327b26463df326fc039801aba5fbee

SHA256
6203aa65dd72c0839a89943b994353db3e0b4797a1ec1bed53e05392b37e93e7

SHA512
0217acf22bf25d0897c6877f23c86f9df6558925430521e2a2a8b681c1eeca4ae90f64657e55826902da8e0bdbb9563987239f40cf91e7a2b2a8a48728a3c201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
96b2e042287d680a652d5b36b5cd79d7

SHA1
53bc7f42fff2c6274ee9fedb3729ef4d1acafeed

SHA256
b12d9ccc810aa452fec4f30933b8de1fb663ab5e9627e9cc8e3ccb4d940c9d7b

SHA512
5fd357b64ea93a43b1385532164814050fd7d47ebcdfa5c503ac37b8ff1b1e914a9e6d0ea910af02afd758cabee416d246c76bf5079f7db90ef54d43d43db935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6efcf9d833acc8caf66fb932a880bbb2

SHA1
cdb8606344cd5cc7bc3a5f355409d822387cdc87

SHA256
9b123e0ab89c2533daee941fd0436578acd4c91e5fed544f1a781a6517467721

SHA512
96e06c60c9ee7eb11d752310cbc9a1fb2e06cb89de8fb14c66536527376e244a77f4770a422176f666de8479f754806e765151ccd1a0fe659553dd4d0d420c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a1f5921230b073cc84b70653ad792c1

SHA1
3bd7c3d33d48ee2e40eb61321baa06e78bc6f487

SHA256
0a39246aa38faa78f3b6247b022b9148106f0cd8bd19ff26f02ee7ef41ffef19

SHA512
43eca1941f29e15ee520417b7cdf2c291f27ad20dba6edeec6ceb8ae656df21aeb4c5d74f43d4357a014b15c06cbb508b21953600e5715eaecb62f8e8043d713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592948.TMP

Filesize
1KB

MD5
4d7aee95e5588b9f5deb11e2eed2758e

SHA1
66d3b23dfd1b39a392dbd31e04cbaf7888c2fd77

SHA256
e650798849206b0edd3d1f2e6027e66a05e47eff116e6dd66654d59dd22e5eba

SHA512
c5481af5daf19e7b168d16a00ba7c95b2faaac209ef6998713f181fe0c9f93086eef7edb2a12bb9990a7b02d9bbcb39673e285f00dfa91abaaf2f28c0a1daab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9365038131fc8c03ed0cf1dbfb7ed273

SHA1
143b0e06a38d63c57b3e2d0691f0931790fa5027

SHA256
b463838bb59fa6ce4604bfc9a0f4b03d5bda9773a64db749bd4b78b7db219c1c

SHA512
e2f8091ffed479c362d9252d81da9e332018beda277ca3148dcd6afc13dadbb2ec4b914aa39a725384c00e34f0689c8b25a04311de3113a5ccb1eb801acaef41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_5088_YNZWJKZLNXRMCUSR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2788-7-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2788-0-0x0000000000320000-0x00000000003A2000-memory.dmp

Filesize
520KB

Download
memory/2788-10-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2788-9-0x0000000074BF0000-0x00000000753A1000-memory.dmp

Filesize
7.7MB

Download
memory/2788-13-0x0000000074BF0000-0x00000000753A1000-memory.dmp

Filesize
7.7MB

Download
memory/2788-8-0x0000000008640000-0x0000000008652000-memory.dmp

Filesize
72KB

Download
memory/2788-11-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2788-6-0x0000000005A60000-0x0000000005C74000-memory.dmp

Filesize
2.1MB

Download
memory/2788-5-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/2788-4-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2788-3-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/2788-2-0x00000000054B0000-0x0000000005A56000-memory.dmp

Filesize
5.6MB

Download
memory/2788-1-0x0000000074BF0000-0x00000000753A1000-memory.dmp

Filesize
7.7MB

Download