71547cc2abfbf2f4a7471534edca636a4bb553bc069b2baa0bdb72772f75701b

Analysis

max time kernel
10s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c4f21627b35a1871da48f21a7225268.exe
Size

298KB
MD5

4c4f21627b35a1871da48f21a7225268
SHA1

c001abd94dce216e0b3dbe31e12ed44d4ef60f4b
SHA256

71547cc2abfbf2f4a7471534edca636a4bb553bc069b2baa0bdb72772f75701b
SHA512

7645a689980a4b187176c75b34f02d09558237d5a9bf20dd843588065f2e5b3a79f39e86d6513a792a3629238dae3568329c36c08e2c5596fd7f3f256a0f4bae
SSDEEP

6144:CpDDoDdbgLxQCv1L08cQHHJaHcggRDAZfBMKQxs9L/tn:cSGQCvxTa8geAZfBbQQV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 23 IoCs

pid	Process
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
3256	4c4f21627b35a1871da48f21a7225268.exe
4268	regsvr32.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mkrndofl.dll	TextInputHost.exe
File created	C:\Windows\svorbmke.exe	TextInputHost.exe
File opened for modification	C:\Windows\svorbmke.exe	TextInputHost.exe
File created	C:\Windows\wetkadmr.dll	TextInputHost.exe
File created	C:\Windows\qvlbodmnwra.dll	TextInputHost.exe
File opened for modification	C:\Windows\qvlbodmnwra.dll	TextInputHost.exe
File created	C:\Windows\knxsrgte.exe	TextInputHost.exe
File created	C:\Windows\mkrndofl.dll	TextInputHost.exe
File opened for modification	C:\Windows\knxsrgte.exe	TextInputHost.exe
File created	C:\Windows\tdomgafw.dll	TextInputHost.exe
File opened for modification	C:\Windows\tdomgafw.dll	TextInputHost.exe
File opened for modification	C:\Windows\wetkadmr.dll	TextInputHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}	regsvr32.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\ = "mkrndofl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\HELPDIR\ = "C:\\Windows\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.ToolBar.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\VersionIndependentProgID\ = "mkrndofl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}\ = "Ibsvq"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.ToolBar.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\CLSID\ = "{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\InprocServer32\ = "C:\\Windows\\mkrndofl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\ = "mkrndofl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.ToolBar.1\ = "mkrndofl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\CurVer\ = "mkrndofl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\TypeLib\ = "{8E63BBC4-4194-4918-98F0-4F55305B186C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\0\win32\ = "C:\\Windows\\mkrndofl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.ToolBar.1\CLSID\ = "{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\ = "mkrndofl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\ProgID\ = "mkrndofl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\FLAGS\ = "0"	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 3836	3256	4c4f21627b35a1871da48f21a7225268.exe	167
PID 3256 wrote to memory of 3836	3256	4c4f21627b35a1871da48f21a7225268.exe	167
PID 3256 wrote to memory of 3836	3256	4c4f21627b35a1871da48f21a7225268.exe	167
PID 3836 wrote to memory of 4268	3836	TextInputHost.exe	54
PID 3836 wrote to memory of 4268	3836	TextInputHost.exe	54
PID 3836 wrote to memory of 4268	3836	TextInputHost.exe	54

C:\Users\Admin\AppData\Local\Temp\4c4f21627b35a1871da48f21a7225268.exe
"C:\Users\Admin\AppData\Local\Temp\4c4f21627b35a1871da48f21a7225268.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s mkrndofl.dll
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4268
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s C:\Windows\qvlbodmnwra.dll
    3⤵
    PID:4792
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe
    evws.exe revem
    3⤵
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\knxsrgte.exe
    knxsrgte.exe reg
    3⤵
    PID:472
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe
    evws.exe C:\Windows\wetkadmr.dll wetkadmr
    3⤵
    PID:3736
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe
    evws.exe C:\Windows\tdomgafw.dll tdomgafw
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsjA972.tmp.bat "C:\Users\Admin\AppData\Local\Temp\4c4f21627b35a1871da48f21a7225268.exe"
  2⤵
  PID:4924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4392

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2460

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:636

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2280

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4808

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\750a291201b64c60988b9b9d7513b7a1 /t 1744 /p 1920
1⤵
PID:4332

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4140

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4264

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
fcff0230b5d2518aa5bcb53e5cb6bd95

SHA1
84e02eab4dc8e963711ad054dda8073192c66f04

SHA256
8c0fad7b8bd59ddefd60d837653fae5bc4010ab28cbf658b4c3fe7092fc392c0

SHA512
a334311a9c0ec08264731a82e8f55b47cb3a21e3e95b0cda4881de5a523a81cc783ebfaedeb002a653f1cef71bcc0a3f6abc3e875cfc9b5db3a4ce637b29bc5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
9925ea3c7c8181a2ad6e1feacdd226fd

SHA1
f5dd06f09172a1b2bb6a82fb36345e9fd9e76550

SHA256
5fb85d31e21f600937608e90e6701c50438ca835aa475e7f383bb9a845f0a5a4

SHA512
78bf506879738ee650df817ac5d66512e756cf84792ccaa37b04e5210da210d8cb2568b91eeb909e3894c1d9925e054232a6284d97480647a92599b1751b4b06

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
bf0e19bb741e44b2c9d8310164537963

SHA1
58472ee11a756efaaf29bbc0c40153df199c7363

SHA256
0434ae760f4ff61bfc008d518b865ac0c751e0962e3ff45a868b21e53d9d8455

SHA512
5dad52d6bebed6553175785a41c0d00692d756ee11aece1f23a358f23c03618b00218d8f2b33c2928984959ae2d6431cec4cc314c8022ba3dab82498b0faadb3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133486727107490322.txt

Filesize
26KB

MD5
c5986ac35cfcda7c0b7c3bfffd2deaf4

SHA1
bf83b3e84458eb72caa4d5842687798ab17d889f

SHA256
2f69a5d2e7c72f121a218c1048d0c7022f00649d1a0a649d5eb25d6b395971a2

SHA512
2315eee11d2e66ae55d3fae9f9c2f58d6399b289a43ce08aca9e40467d6f2151f84688f373e521a0363cf14e8488e02cb3459baaa7b2c8a49b25b77d708481c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133486727107490322.txt

Filesize
53KB

MD5
a96391c4468c617c8547fe87deab88a3

SHA1
0e16739da052feb8c7b2304238450421c784e892

SHA256
c9786c92e3d7cde4f5879f60b437b90b304b5cf88f69aea354bc9418409cdfc0

SHA512
c6b29da2edd697adf891bb702af43dbfef24ece61e0b69a2d87ab8432800dc03191a9a030ecf323f702cb5ebd61f68656fb8f8abba123f53c2dd3a50362ab704

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HK1EJLEO\microsoft.windows[1].xml

Filesize
97B

MD5
8a0b2c3408d7c0bfa793057099e9435f

SHA1
a51b2fb47f45ed74795dc8a4fc6b55c50ddb7c60

SHA256
4d4f7c69a41642f448f1be4d535731fdf4aebe44a4027382b4185b4d000905c0

SHA512
33f2843f967dcdfca588c7f331fd62b7428207a8c921ff39c5d67c04521fc16b1f80d0de1c9fad2027d4a5c19bd0e6bff8b4236a6da60b0936349f8c0f8d2bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
21KB

MD5
ea61e1a79705ebd42af04cc34bb89298

SHA1
4b30f305d179b41ff6ff141fe140dec62fe09f2e

SHA256
e3062ccb5d7f0fde58d7e5f9d6633e4ef7c1d3eca67bc643e598ec5a97a119ba

SHA512
4d7abbe979c8f0e30ed00b75b8139051f5dd8ab984aad272e4fb4e2595bb6edcdb76b0dab104f62f576b03d1b5f8ab77dc24f6a2024be451b6ee5d47c50e39cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
1KB

MD5
d51c67b08aef990f396e63826bf22cf6

SHA1
bc090a21b29db1e068dca923222454f335d0e280

SHA256
dc92c6ce627a555b61901518b898a7b70e23962fe0a88cfd60d393615ef00a0c

SHA512
20f8976dbd2b665e5dd22b0ef780d85fa6f10dd11b24a753314072986f2c84b91941cce069ac97e22817ff4451cb5d7f1d15124be17f308c0d8e785e0ea7cf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
22KB

MD5
e8ebd231d99a4eea3e28cd18abe6d9af

SHA1
f68580b9af3f3ddbc03993ea5fbf830737b13901

SHA256
eac72afe730ab68f4657595ddd839059e772780b0764d2cbd3d1da456e5de641

SHA512
e7efc85fdc42c4ec3bccf613c33cdb7fb6984883e92ab0c9a2ccf644af6c260653d294380a9788acbd9fa89c95b17c7ee16b48cc9dc70fe0099e55ccc1c05d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
23KB

MD5
95216825874d5a768634abebbe894f73

SHA1
752f295e606736ca50e62ef5a3ea04df3427401f

SHA256
733f07f4d8ca2a4104565790f671fe23b59e861bfb1039f8ef61c0d791ab7725

SHA512
b5c90c57094b0b6d115cf952d16b5096a44790491160c55e87eb51b76a49e1108789e729b0c8d093495ee3ee15ecf0791f9535b907823e44448ff5131c42ba86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat

Filesize
1KB

MD5
66b193bfc99622e0bbc6c5a2cee12945

SHA1
c1d29192f9e762b37882c332f522f6701977b5fd

SHA256
c910a213d3e3942cc106dc620450b503d79e881128990c7a8935e6a796e3a7d3

SHA512
32c7ee46350e735f2e278dbdecf19629460f2a29cac6102be9befe94ad08177c435bfe1a92395a0534859ea475b090be021ad079af13c8de1f6af8030105c69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\knxsrgte.exe

Filesize
8KB

MD5
a1aece73754c95ce775a50540eab3e04

SHA1
47473471f1b0f7efb4df4701b64d2a7a56ece26a

SHA256
987f2f9f20169d8a053962df5b63b469f0cff9cfd0007f06cdf76eb5f8f7c9d3

SHA512
d41895ba866154f09057debbd6190d794c72d766df5056fe9b7b443af89cf82eb1fd5c656dd4b29b85049a06ce746dc5c5723431e31bf5a848fa4ecc29b2c0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\knxsrgte.exe

Filesize
57KB

MD5
ffdd8bd4d6803d8d1af42e1819f0f4fd

SHA1
91e6fdbff52ff2c8a6b095d29ad3e0ec8251159e

SHA256
05e498464ecce1fa772315e60c25a69e9743fdeb9a3d5c06acf7d9bea1279f9b

SHA512
111696d22f7cbd90b7e6c74fb6d17d41f50eda349885b74289972c774186f2eb7173fe925f44cd16077c081ecd28e8eb4394f96173a18fb5002c0f5b40f07da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\mkrndofl.dll

Filesize
15KB

MD5
87da3248215be279f6e3050ff29bbb5a

SHA1
047cca78caccf9112718d44254f14183a425f723

SHA256
7d9d7ea58db63e17d36f6236d91c92bb848d6f62978e8ea099f9b33942b941de

SHA512
b688b26734da29a2696813eb5193e1fe8865b13b52ad4fe210ef7381405d682a39380fbf908732bcf7abf01537afd5eb52469067483974118be518cd9a34b123

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\qvlbodmnwra.dll

Filesize
23KB

MD5
ec2aa299c284b87bb7557409418ec693

SHA1
57ddc931c9909929f3bed72325231541df3439fc

SHA256
f4b80cd9073ab449bb78be8dc4c674c1afaf3a1a65d3ac1fed2513ad722de992

SHA512
1aab4424037d16e35fae30422ab296b21c322b1bed9761068db3c83a6f87b5e9133c81a54a5b90cee53e9e319e8b08c41198171fda2749332643c89b232d5deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\svorbmke.exe

Filesize
55KB

MD5
d570cefec10dee5fcbc464a1e9104f8c

SHA1
58b6451533317a2bf10319d2ef52140ab1e660d6

SHA256
0e581c54345a39bfbf2ed0b24dfacf9cb7678ce261ab08f01ca2192e4a0548a4

SHA512
fdec525377ed55dec6cbe69fbd457c0d9a59dfc06167a94ab3367475f8eeb6c16820c35475ebfad58654927a4a5c463588bd2fd3880c72a9abe25cf8f8cbdbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\tdomgafw.dll

Filesize
34KB

MD5
4c0df0ba3b2ca6d15d523969dcebcb0a

SHA1
87b18497965d8943dceca33fed053b71d16cca63

SHA256
f2933ea47d7c6c049a599665d8d9bacefddbfa5ad7a4e719029190c64ea4f408

SHA512
cfb7c8235bb9604a157b874ae96615e4cc5dc12ab12012b525a6412c2f430f23437b41c6a6ea6f15657f0ee66847355c8c64c7770233e47f2d7d6efad6318ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\wetkadmr.dll

Filesize
7KB

MD5
a1ec4e7dfc424026abd781bfcf5ba51a

SHA1
feb685a00556e48d78484b73469e16a42faac2fa

SHA256
97ce9b4aa896a86c8843b99e11ea2afe04eefe48e4c5395027bdd0b263fed9fe

SHA512
67dab313c071516b66bbb71eedbee2bdbbb50a68ecc6a8cee0f9786b551414725cd1518129050969dd04788e925740887a0f7ec4c443c29532829e42511b6424

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA972.tmp.bat

Filesize
113B

MD5
4022522cedce98b879060bc2e70bd49b

SHA1
950a2deb89eba1c7ba47f2044e253aff2c567ab6

SHA256
467b560b55f111cb744bd0b6654f5900601e47ac14ec27602ee546ac0c438ca5

SHA512
de4d5401261b903fedc3d7799919d43f9ddf038118b2436e4b9c7551b49e69e9caf395d8218118f2624f0d470714a34129b92d2f5b07336fc58794d93559aa5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\System.dll

Filesize
1KB

MD5
50b3725113fa7b5e0cf007c57590b682

SHA1
9d05170ec39ae22ca23e5107b0b8a69b2395a5e9

SHA256
35ef0d6a81b94c8a64aade6dddcafa7aae5b2ddcff2205b2aec55401e3fbae11

SHA512
e87b53765b04f5862449b9ee60d5d7dd3e50958726b87678d8a5b03f9f15027a121b398396e7bc9973e293328ff2f0a1cca2e2b9d8a3d05e9c46ee99ba5c0377

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\System.dll

Filesize
10KB

MD5
7d85b1f619a3023cc693a88f040826d2

SHA1
09f5d32f8143e7e0d9270430708db1b9fc8871a8

SHA256
dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

SHA512
5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\blowfish.dll

Filesize
2KB

MD5
a793bae1ebceb1014eafd9c1266ba61d

SHA1
90be0a8a82e0b989f50e416dfc68d3f0cfdad72f

SHA256
38bb07f41a9b5935c216c61dbea4690fb78b69506f2dd53041abfbbd6808ee0b

SHA512
d22fb676b8fe63f048d41a498cba86c9b6befe6dbfd610529ef0006ece11e42f4d967bde7960f0a1f04d611cdef68e2dfa39ed6b4c68a3f4e863076288e15626

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\blowfish.dll

Filesize
2KB

MD5
d79e2d1f1897703d13ee87b30926744b

SHA1
9cf12ee417c513c82edd29f830fda48b157fa786

SHA256
8bca50fc12835d105527e654c943932d2c2aaf7b2c25f3cf94f703eab5ade056

SHA512
a66e94f9f82ba7d2c3d6ce91a1e375a6273262c4ed443c32f7841f0cf909cf9e0a2f1ea86b52492f366585d3c233b8db5e2b73de851a10a5531c4243243d49c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\blowfish.dll

Filesize
13KB

MD5
d5a05af981f6737f13acbabc29d4eacc

SHA1
4d6fbefc007a3ad3aabd61016b4c3336c583c478

SHA256
ff3ff04497684780f9a526cf742a11c9969a8c7c50ef60db2d5187e805d612fe

SHA512
f523bbbcd55ec83011b0679b58a75dc6fb22ce023154aabd6f628df6a652e258980ac002fe41edecaf80b5be5796b98beb4224d4a292a7d6151c94720ac6ab62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\blowfish.dll

Filesize
16KB

MD5
5aedab519d6aec8a7dfe94848cf468ec

SHA1
872f77f05f7c795f1ed1433d7dfcf552dd5ebe9c

SHA256
922a76610ff2c60a3ec5958db840d3ac18a4dada79bec2c0e6426851d528f791

SHA512
76afd79c126e0b21ce936d59891b7b40cdddb0efc80500560dce1d2fb8a2bd63b1493466c24e259b4a43e8bf62ae728037926a11eb6a1b295349c24f353d23de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\blowfish.dll

Filesize
1KB

MD5
58fb390a4378dcba17f7893e8be04860

SHA1
b0095527cf7517ed7acfa7ea444ff27288364dd0

SHA256
621a101f6c58c9380c94aa0fc83c348f9f82180129ee72f4ad07784cfb2eeeaa

SHA512
3dc4ee59857be31edd01aa0bb2a443c735b28824fa1a3775968b4e8e0b5773b813bcd17beaf74c859aa062e99027282f1a7a43f1d22f6213b02d955b900b2151

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\blowfish.dll

Filesize
3KB

MD5
27e26523f23513b83590b14365e09515

SHA1
822e343535a6754981cc930aa2ae1965233eec70

SHA256
92ad4ede1a202a061c9fbc69742d11f7a5078acde208b50289dca52162248930

SHA512
9e2dde2b9f1d538256a0e658ec674d207b433628663aaa58dd7631965d27ed585d0302816375e317e4d1536174e4a710865866ecda870e5330fde9905fb7c720

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA4FC.tmp\blowfish.dll

Filesize
21KB

MD5
d675a8b9f8b52044ac54bc949182be07

SHA1
d3e7ade7143efaeedaa61eaae2eca8170ef27ed6

SHA256
dc7600cf821adc2a0eff1df8926de2126f0cea55f4da7f08ef2c52347d3cea9c

SHA512
b2e9504a4df2ce2b059b67bf00d138c800a91848ef21490c1e8e52b3e68458528847f11955ec2da4cfc93357e0db268316372ff553128838d7ac108c79e13a1a

Download Submit
C:\Windows\mkrndofl.dll

Filesize
18KB

MD5
73c7e5c39bda630ff55695732f2e3d69

SHA1
076e9ca53ad5c18aa7dd5a0c49aea9b1167027f3

SHA256
370d99d11ee6aea1a15e66440818bf6b9fd0935fa063cd00f8c5fb19943e0cfd

SHA512
fca50b8f208efa94195394708411e82adf326d444aa9cc11c79f533a4e0536e30cf471cce3e7856432937cf97d50138620045ab2a52d7eb40aaf487b3c94af45

Download Submit
C:\Windows\mkrndofl.dll

Filesize
15KB

MD5
97ceab997c3893aecd0a18edc4fc459a

SHA1
da71996b21c7f7971942fb3bd69fef0d7b9b4fb9

SHA256
de5ea27ddf484dd4080e8659c9c3c9f3132f1d4c8d2ca133b38f0c2c93154067

SHA512
e33255b981f5bbe92be84a7111a38a142e54da06b77d1233a498884452e540b35a3efbc3a34d2a76e8a97498ea809a1a71181a3aea4214c2c3b61ecfb992a27d

Download Submit
C:\Windows\qvlbodmnwra.dll

Filesize
32KB

MD5
141c5e1fd4c217338ae43073cf312f13

SHA1
620c3a2168b1bc761f3d2de638ede215e4cece1b

SHA256
193b3a5613d7b2d0d36a3589985333d9e260de264e87e28f2f4b434fe4a75cc3

SHA512
ef5a6e0face83f2448d37e5e6cae91e5807e736de3c3c5dbc90831a073792fa604e035109679b5188cadb2284bbb86679795b1528955a63c34b96018c8038410

Download Submit
C:\Windows\qvlbodmnwra.dll

Filesize
1KB

MD5
719bfd99e50c976dc81382f12ae8cd92

SHA1
e5be2a3ad0ae6b7ecf117a1dfb2dc45cd3e5e6f8

SHA256
a5c1f996f189fe36ac6cd79e1d5c630fd47cab4750159a3eae7d0c4aa19004b5

SHA512
a783cc32967ca3d1a0708bb48b53ba9ba608d53adc124c5d959a66364afdfaaf86bfc2f3992ea0d9157ee2321c31e5a656afa0c022b6761efe7d1396fa782759

Download Submit
memory/636-180-0x000001EECEC80000-0x000001EECECA0000-memory.dmp

Filesize
128KB

Download
memory/636-175-0x000001EECE660000-0x000001EECE680000-memory.dmp

Filesize
128KB

Download
memory/636-173-0x000001EECE6A0000-0x000001EECE6C0000-memory.dmp

Filesize
128KB

Download
memory/660-142-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/784-246-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3268-260-0x000001557CB60000-0x000001557CB80000-memory.dmp

Filesize
128KB

Download
memory/3268-256-0x000001557C4C0000-0x000001557C4E0000-memory.dmp

Filesize
128KB

Download
memory/3268-253-0x000001557C500000-0x000001557C520000-memory.dmp

Filesize
128KB

Download
memory/3276-228-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/3296-214-0x0000023047970000-0x0000023047990000-memory.dmp

Filesize
128KB

Download
memory/3296-218-0x0000023047D50000-0x0000023047D70000-memory.dmp

Filesize
128KB

Download
memory/3296-216-0x0000023047930000-0x0000023047950000-memory.dmp

Filesize
128KB

Download
memory/3392-235-0x0000028870EC0000-0x0000028870EE0000-memory.dmp

Filesize
128KB

Download
memory/3392-240-0x00000288714A0000-0x00000288714C0000-memory.dmp

Filesize
128KB

Download
memory/3392-237-0x0000028870E80000-0x0000028870EA0000-memory.dmp

Filesize
128KB

Download
memory/3904-269-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/4140-206-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4288-196-0x0000022FD6FA0000-0x0000022FD6FC0000-memory.dmp

Filesize
128KB

Download
memory/4288-193-0x0000022FD6B90000-0x0000022FD6BB0000-memory.dmp

Filesize
128KB

Download
memory/4288-191-0x0000022FD6BD0000-0x0000022FD6BF0000-memory.dmp

Filesize
128KB

Download
memory/4740-281-0x000001B7BAB90000-0x000001B7BABB0000-memory.dmp

Filesize
128KB

Download
memory/4740-278-0x000001B7BA780000-0x000001B7BA7A0000-memory.dmp

Filesize
128KB

Download
memory/4740-276-0x000001B7BA7C0000-0x000001B7BA7E0000-memory.dmp

Filesize
128KB

Download
memory/4808-185-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/4860-165-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/5048-153-0x000002D39EA30000-0x000002D39EA50000-memory.dmp

Filesize
128KB

Download
memory/5048-151-0x000002D39E620000-0x000002D39E640000-memory.dmp

Filesize
128KB

Download
memory/5048-149-0x000002D39E660000-0x000002D39E680000-memory.dmp

Filesize
128KB

Download