eternity | hxxps://github[.]com/Testabots22/Bloxflip

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Testabots22/Bloxflip

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00070000000232ad-215.dat	eternity_stealer
behavioral1/memory/5088-264-0x0000000000280000-0x0000000000366000-memory.dmp	eternity_stealer
behavioral1/files/0x00070000000232ad-402.dat	eternity_stealer
behavioral1/memory/5540-434-0x000000001B4F0000-0x000000001B500000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe\:SmartScreen:$DATA	Loader.exe

Executes dropped EXE 64 IoCs

pid	Process
5088	Loader.exe
4328	dcd.exe
2748	Loader.exe
3816	dcd.exe
4704	Loader.exe
2316	Loader.exe
2712	dcd.exe
100	dcd.exe
4984	Loader.exe
2912	Loader.exe
4456	Loader.exe
1236	dcd.exe
4236	dcd.exe
5164	Loader.exe
5220	Loader.exe
5348	Loader.exe
5364	dcd.exe
5420	Loader.exe
5464	Loader.exe
5476	dcd.exe
5540	Loader.exe
5556	dcd.exe
5624	Loader.exe
5720	Loader.exe
5800	Loader.exe
6100	dcd.exe
4424	dcd.exe
3904	dcd.exe
5552	dcd.exe
5680	dcd.exe
5884	dcd.exe
5608	dcd.exe
5192	Loader.exe
5124	dcd.exe
5276	Loader.exe
4404	Loader.exe
816	Loader.exe
1856	dcd.exe
3788	dcd.exe
6108	Loader.exe
3736	Loader.exe
6128	WerFault.exe
5668	Loader.exe
5140	dcd.exe
4848	Loader.exe
4052	Loader.exe
5676	dcd.exe
4632	Loader.exe
1204	dcd.exe
1372	Loader.exe
2516	Loader.exe
1824	dcd.exe
6072	dcd.exe
5160	Loader.exe
2732	Loader.exe
5440	dcd.exe
2820	dcd.exe
952	Loader.exe
752	Loader.exe
1680	Loader.exe
5760	Loader.exe
5564	dcd.exe
4356	dcd.exe
3928	dcd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 133342.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 883744.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3252	msedge.exe
3252	msedge.exe
3228	msedge.exe
3228	msedge.exe
3220	identity_helper.exe
3220	identity_helper.exe
4988	msedge.exe
4988	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	Loader.exe
Token: SeDebugPrivilege	2748	Loader.exe
Token: SeDebugPrivilege	4704	Loader.exe
Token: SeDebugPrivilege	2316	Loader.exe
Token: SeDebugPrivilege	2912	Loader.exe
Token: SeDebugPrivilege	4984	Loader.exe
Token: SeDebugPrivilege	4456	Loader.exe
Token: SeDebugPrivilege	5164	Loader.exe
Token: SeDebugPrivilege	5220	Loader.exe
Token: SeDebugPrivilege	5348	Loader.exe
Token: SeDebugPrivilege	5420	Loader.exe
Token: SeDebugPrivilege	5464	Loader.exe
Token: SeDebugPrivilege	5624	Loader.exe
Token: SeDebugPrivilege	5540	Loader.exe
Token: SeDebugPrivilege	5720	Loader.exe
Token: SeDebugPrivilege	5800	Loader.exe
Token: SeDebugPrivilege	5192	Loader.exe
Token: SeDebugPrivilege	5276	Loader.exe
Token: SeDebugPrivilege	4404	Loader.exe
Token: SeDebugPrivilege	816	Loader.exe
Token: SeDebugPrivilege	6108	Loader.exe
Token: SeDebugPrivilege	3736	Loader.exe
Token: SeDebugPrivilege	5668	Loader.exe
Token: SeDebugPrivilege	4848	Loader.exe
Token: SeDebugPrivilege	4052	Loader.exe
Token: SeDebugPrivilege	4632	Loader.exe
Token: SeDebugPrivilege	1372	Loader.exe
Token: SeDebugPrivilege	2516	Loader.exe
Token: SeDebugPrivilege	5160	Loader.exe
Token: SeDebugPrivilege	2732	Loader.exe
Token: SeDebugPrivilege	952	Loader.exe
Token: SeDebugPrivilege	752	Loader.exe
Token: SeDebugPrivilege	5760	Loader.exe
Token: SeDebugPrivilege	1680	Loader.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1032	3228	msedge.exe	86
PID 3228 wrote to memory of 1032	3228	msedge.exe	86
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3544	3228	msedge.exe	88
PID 3228 wrote to memory of 3252	3228	msedge.exe	87
PID 3228 wrote to memory of 3252	3228	msedge.exe	87
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89
PID 3228 wrote to memory of 4032	3228	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Testabots22/Bloxflip
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa408a46f8,0x7ffa408a4708,0x7ffa408a4718
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:4328
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:2508
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:100
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:2712
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:1236
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:4236
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5364
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5164
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5476
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5556
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:3904
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5540
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5680
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5884
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5800
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5608
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5624
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5552
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:6100
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,1381196227582244744,4604413230518190523,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5672
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5276
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:1856
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:3788
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    PID:6128
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6108
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5140
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5676
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5668
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:1204
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:1824
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:6072
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5440
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:2820
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5564
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:4356
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:3928
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    PID:1616
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    PID:5624
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    PID:1468
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    PID:4920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4404

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5192
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:5124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420 0x2f4
1⤵
PID:4936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 752 -ip 752
1⤵
- Executes dropped EXE
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
704KB

MD5
21b7b85c925679b7bd50920db53774cd

SHA1
9793ecf1123edd4bfe5927b92348a2b9ebc46d45

SHA256
22501c89d1859b499aec4b3a94aa4991246f378f42ff05601ae235deabbb79a6

SHA512
7fa577116e49d0f130c7f81ee73cde4bacea8a1250150afe8f9ff2bcde28b5edab7b2d5eef7aa0c124ffcec51ffdc9e88ee65d806cf96b7197221cf0a9722d97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7573fd0fb3c1748dce0252520acefd10

SHA1
baae656b21b13855a8d4aaa3a43d73f5e116747b

SHA256
c441370acb67796969aaac3d885fe827d355352d53c5d55c1b93f7eca635a4a2

SHA512
0d7d5f513f2171d05abebe70de5d9a835a114d18a610287267aceb8908dfbb81f9c197e17c3c821b76c6a4ed1441742b061c58b95a7867c715bad3f7a853dfd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7997b79c4fda2972cd8848be66b4a0be

SHA1
5404762879bd3e730fd4f67479b2471999e60ceb

SHA256
8f6cf8b3c645fea068d45917ff1e994b3a3a1ac8f6930d8bd19a6fbbf24ba7ed

SHA512
31cef568bf70578ab849979956fc6feb98dd6eebd798f99539bed91880cffd95ecfc53673585e8990ead95261ec50ff14ce8975508d1c78cd6803738f129251a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
1d9bf44973c18a2a639d1ed1eb792d88

SHA1
4ca08303ca556d377ec860d8e8526a257afba41a

SHA256
425622de3fd0a3557af7b98894d3e97dbbb3f0624b64567df01c3097e0383647

SHA512
3a682153587571be751d257cb4aeeea94af2315a138c9836d68a51328863b741707674c9fa879c78edfb6b322648cadc5ecab1eb6025b267d086e23c9e2aa36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
8c05788e4967078480521d65d3eb1428

SHA1
af63e95bb62938faa36015b5951ea37101910d1b

SHA256
edba799d78ea5582afb4e1f81657b336ec49411afcd46b4d441190815e2b52ef

SHA512
945cfb1557bfa141b724502626249f0b09c8e93816a6e7e8baa96f09a8b98df408dd6ee9ed92692e5a8f347a91a7b808e277f1e8f756300ab934beac526fbc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e96cad09e8b7ac42f3dfb03414ee204d

SHA1
d839b062a375a22214d40f45093a14674ac6a0c9

SHA256
989773c21bca09c2867ac2f53384b28ef15913924c5ecd238a6430c296c7a49f

SHA512
4f28b15e212aea7b5b055c22817e05f53ba29bbea72c5ba7a0e7ce025435bc6d9edc4eba66b1509f5c28cfb30a0e84870db19609e4bcb7f728b7df92e6a551d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1dab74585b696c8c216757f61043ff13

SHA1
fe6634a8eb8231b2a1374d7803d11a71d0c94831

SHA256
b98d1cfedc60eec601c210ac682db923b0c203489171bcd714d47a11a22cfa90

SHA512
f6f6538851d71f9f2ba622810fcc835e7b5f6e2c9bb02ce3d61c128056471527f08c182f031bbec2bd5749f78cc1f83babd5bf3402a55c3f266d2ff033242dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3958e54eab30465d7852ec4b87090116

SHA1
2f15723532477ed6d7bc436bca27de69040e7695

SHA256
a5fd4eea148b787c07f8df7d9647546f37ee6eec1c02543dc565c5241703fb3b

SHA512
8f3cb6eaba4ab20fb2155189b781aba220fe524d0d89b03e86b2aeabda5e945817dca74372ce5816aef7c2e8f2d82de81d88a61ec9b09e7996f1c2a0319de9a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eae85e285a754176d54a9961f092a67d

SHA1
93936687c49d97875ccc9d92c0ba3eddf7f7e71b

SHA256
fa48e990abaa3d89a0b4040642ee18cec2d015347873e644d75ccab2c1be221e

SHA512
c1fafa9b0e7553edb61a4780f714297db5083a9ecd05057e4cf0d04b96a9e86042b2a5799c2d8e6c4ad80859086223059b9839b3b2ecb56fadc9003df5cc83cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d46332b268b9c73ad5598b7a1cb797e

SHA1
5b3c1ff52326734a0d48a947c6f9021f5ed2c243

SHA256
673ca99d7b9ed2c324056ebb05f87c34ab6d0009cdcbf01f1661a0056e8bd43c

SHA512
1f43573f7d541c00f18c4f75cad08d529b8fa98dcc5a32162e78435c71ec82762445d88920c223ca3268032e6ec4f755bdec87df170fd603b730f167532b5ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f3b6b0530bc0d0f39a59f9c16b9e552

SHA1
9740d11225cc950f7341fec9de6abba5067143b4

SHA256
9ccf3a3b9c8095bbc0d5e79b79a53734e6b394d3a03aa997ffdd128064aa36be

SHA512
538b2ff28039047da8b19e73ada69f34bcf740fa3bb9fc5a88b8122389bef711d66993a888bea08a7157dbb1fb5864471ce323f9d4fbb99cc562b75add7cded0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e62a6848f50c5ca5f19380c1ea38156

SHA1
1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a

SHA256
23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488

SHA512
ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e10eeb011b8555eb61748abef48635e3

SHA1
c56f7696e0239c650c8bc6305358f149dbf9f1d6

SHA256
42d298f2b31acad79954f616f5056689c8cbfbcdd4b3fb77722d93b45ce541ae

SHA512
a09fa25989073140627d63e9daaeec0fe470e8eee4db95dadbef0f9be322d4700d761254d8beabb3ce5fb52aedb95ed496cbbaba6230de25f4d693015a39dece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efb2c1562ff57a34fb98d1fa7c2cda6e

SHA1
77499421410c1bced5c8aa49f127cb3547244f26

SHA256
655494cd2a0aa4c3e56ed6e00e2fdf8e30864d8793be0143367cd0bdaa5f0685

SHA512
76ba976259089602c7ccae1503502438449ccd44e1f234a93eadc1cb00ab0b7b9e484fc4ae139768f9853aef640e8f9a79bc1305ad298735464da1ec973b8c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d5773420dfa51809c8e8cfde6915878f

SHA1
52c8877db9f487a4ec40143aa246bd41310a2617

SHA256
ea806b86c7d131645cd945f3c851f220388bb264d653956a9c89f454396ec9e1

SHA512
f86a35304eba76325e62ae188196eb3254fc9c3867772f0dee2559f1b61b3d0a3eb89e7c176d12c1655ed769b1be9a05d4dce7c9b75060b13b4e979da81d328a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1aca4396c1cbdb3c3268818b03ee24a0

SHA1
697d3c7163245f1696a472384d185083b7565934

SHA256
bea0d184a641e5e6725e21475657bc3bcd6ebbf78b6e1f8650ed18b1f5d2bd17

SHA512
8f53182eeb92421b59b61f721e6d19efac58aa292ffac57e6995bac766c6bf99ffee5f8d4f7586965b4b5a35cadb654a0bf4a3c1440d59389fb206a603ca897e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2336f7e4d881e5a9de80b294e67aae16

SHA1
ba7b3a1d5d7b5159ef82121bec7e8f6fc7101490

SHA256
ef4ee2628c81a67c39e15c7c76d113a4a8ed9030282b5be790a7b3b7167c6313

SHA512
b166cd9ec2ebb351487c79c71f14cf97791dbadf76ac33673e180520e460ac600289d44ce214f03f9bcd31590491e6b2747a46b788caae8b056b8bcb5b9a0268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8319398cf030412351527e91f69482e6

SHA1
3f067ea881a98d23931893d07396ca3a55c5b35f

SHA256
e8995a253cebb94e2915dfe113193bf78458af6aa47fcea3d06ebcbf8f3600f2

SHA512
2cfd7aed791bf2a2870f03ef50c8298a99d8e4739134259267202c43ff49606c29366e66b5042294ddc98f6880044ba0a81e5c9271d2db29afcd1d8e60c9c4c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a836.TMP

Filesize
1KB

MD5
10a303b5595faa534bf5bc8484b0c587

SHA1
35b02e8ddb1e285df54e5651720f2780eaf37c17

SHA256
dab5457ee9299608da2853e5bcfc4a7d7115b73701fcbae9bcbd6daf181ca389

SHA512
7f084c12965ea7ca432987fb8344454bcbd47b2c72cd43df29bb0e3cf8b1d20cae190a49c58c848bc7e59cd7dbe6df1dd15c87ad22615c0363591160b5e82cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2eaeb8c5aad3393ef11e91ba331fcb33

SHA1
3d4d5f82b7a4568c84fdc8b8325e2d60e64f83eb

SHA256
40aa728c91553c24f2859f0e274e6e2fb7b6bbf0cc344b57b950d295dd12faf8

SHA512
51d8c28a80adb0e7ecc9ac2903227978e940de896fb20bd65991a94e7fa7dcd5231dd6c3eba0f7a7ce1210fae665579d1abb232c541828c29c90f48124570b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b769ce061b979cd677062eb5cfc79148

SHA1
79b07c7c192de4b42ed34f988637d30711b331b0

SHA256
ea55128f642bcbc8e1669c3be105bbeea4b55a6f84fc5fb9bb623aec152ef952

SHA512
1ad29003bbea6631a4c649f1d289f39fac2122002dd0522981ef0fbd10af5edfcabec66ae3509d3b09f7a11c976d10751519563ab8176fa8e4293f740aa28136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
247d1761698a2bde3eae825192a5ab76

SHA1
be6ac8f6300371f459937acc049b015991d74ab3

SHA256
13dd7bcb93141fdaf3a75a7c3f9c7c64d6ce37c485120ff566b5000ac7802272

SHA512
051daaf998901bf3f1e1dca1bacf42c90948b0fffb8d12952852ac9f25c94e73f9afb98e0e60632c7a4f0d99064209822e9866c63808e0187c63936bdae466f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Loader.exe

Filesize
832KB

MD5
aaf9c2ea931a975f5cc2c05582a35198

SHA1
91f3051435a96411182efbb038a5b3dcbe5ac285

SHA256
72911accafe66ff1a1eac702be89c65bd56b9536119ad80d6edfffb69be9fa5d

SHA512
f6a263013d8fd2d78aa8ddf82ab0da8b35a760020efe730f7172599535b931f2c408482cdc2bfd03c1388b49f22c475e91f69b100fd6d100ba67a4d0e1eb6a69

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 133342.crdownload

Filesize
887KB

MD5
4921715c2581f736e92ea569def50a69

SHA1
85d44e955199463ca786b2ef4ca95189704bb599

SHA256
d25991745f08ec053c593fe639303859ec6b50a02fd04f86223526d5563062ba

SHA512
4b18a2361f9e0be0be1d3fedcd82c0e900b90cb96fe084c7937e8a0e60711e8a39394891d91f06e62f57026a1f98116ffa1c2ee41e168e59e72303562d823127

Download Submit
memory/2316-345-0x00007FFA2E4F0000-0x00007FFA2EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2316-334-0x000000001B960000-0x000000001B970000-memory.dmp

Filesize
64KB

Download
memory/2316-333-0x000000001B960000-0x000000001B970000-memory.dmp

Filesize
64KB

Download
memory/2316-326-0x00007FFA2E4F0000-0x00007FFA2EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2316-327-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/2316-330-0x000000001B960000-0x000000001B970000-memory.dmp

Filesize
64KB

Download
memory/2748-318-0x00007FFA2E4F0000-0x00007FFA2EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2748-285-0x00007FFA2E4F0000-0x00007FFA2EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2748-286-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2748-287-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/2748-288-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/2912-371-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/2912-369-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/2912-370-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2912-390-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/4456-382-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/4456-393-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/4456-387-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/4456-392-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/4704-328-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4704-332-0x000000001B280000-0x000000001B290000-memory.dmp

Filesize
64KB

Download
memory/4704-329-0x000000001B280000-0x000000001B290000-memory.dmp

Filesize
64KB

Download
memory/4704-325-0x00007FFA2E4F0000-0x00007FFA2EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4704-331-0x000000001B280000-0x000000001B290000-memory.dmp

Filesize
64KB

Download
memory/4704-350-0x00007FFA2E4F0000-0x00007FFA2EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-372-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/4984-448-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/4984-386-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/4984-373-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/4984-368-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5088-266-0x000000001AEC0000-0x000000001AF10000-memory.dmp

Filesize
320KB

Download
memory/5088-275-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/5088-276-0x000000001B010000-0x000000001B020000-memory.dmp

Filesize
64KB

Download
memory/5088-289-0x00007FFA2E4F0000-0x00007FFA2EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-274-0x000000001B010000-0x000000001B020000-memory.dmp

Filesize
64KB

Download
memory/5088-273-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/5088-272-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/5088-265-0x00007FFA2E4F0000-0x00007FFA2EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-264-0x0000000000280000-0x0000000000366000-memory.dmp

Filesize
920KB

Download
memory/5164-391-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/5164-399-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/5164-384-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5164-388-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/5164-398-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/5220-389-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5220-401-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/5348-403-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5348-409-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/5348-435-0x0000000002B70000-0x0000000002B80000-memory.dmp

Filesize
64KB

Download
memory/5420-436-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/5420-406-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5420-421-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/5464-438-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/5464-415-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5464-442-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/5540-428-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5540-447-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/5540-444-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/5540-434-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/5624-430-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5624-432-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/5720-431-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download
memory/5800-443-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

Filesize
64KB

Download
memory/5800-433-0x00007FFA2D740000-0x00007FFA2E201000-memory.dmp

Filesize
10.8MB

Download