Analysis

  • max time kernel
    375s
  • max time network
    332s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-03-2024 22:03

General

  • Target

    Chernobyl.exe

  • Size

    343KB

  • MD5

    d576e0520faa40435d5bdc66304205f9

  • SHA1

    b99fce6ebd094e2cbc29e1ed4e47360781e86c47

  • SHA256

    2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6

  • SHA512

    6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98

  • SSDEEP

    6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 18 IoCs
  • Modifies file permissions 1 TTPs 18 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
    "C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3144
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:892
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\SysWOW64\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
          3⤵
            PID:680
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3820
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
            3⤵
              PID:768
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
              3⤵
                PID:3760
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2364
              • C:\Windows\SysWOW64\rundll32.exe
                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                3⤵
                  PID:3524
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1812
                • C:\Windows\SysWOW64\rundll32.exe
                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                  3⤵
                    PID:4188
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4612
                  • C:\Windows\SysWOW64\rundll32.exe
                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                    3⤵
                      PID:4480
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1464
                    • C:\Windows\SysWOW64\rundll32.exe
                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                      3⤵
                        PID:2944
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2644
                      • C:\Windows\SysWOW64\rundll32.exe
                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                        3⤵
                          PID:5044
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4196
                        • C:\Windows\SysWOW64\rundll32.exe
                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                          3⤵
                            PID:4796
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                          2⤵
                            PID:5004
                            • C:\Windows\SysWOW64\rundll32.exe
                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                              3⤵
                                PID:2236
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                              2⤵
                                PID:3128
                                • C:\Windows\SysWOW64\rundll32.exe
                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                  3⤵
                                    PID:2928
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
                                  2⤵
                                    PID:1220
                                    • C:\Windows\SysWOW64\takeown.exe
                                      takeown /f C:\Windows\System32\smss.exe
                                      3⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4468
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
                                    2⤵
                                      PID:4488
                                      • C:\Windows\SysWOW64\takeown.exe
                                        takeown /f C:\Windows\System32\csrss.exe
                                        3⤵
                                        • Possible privilege escalation attempt
                                        • Modifies file permissions
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5024
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
                                      2⤵
                                        PID:4492
                                        • C:\Windows\SysWOW64\takeown.exe
                                          takeown /f C:\Windows\System32\wininit.exe
                                          3⤵
                                          • Possible privilege escalation attempt
                                          • Modifies file permissions
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3996
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
                                        2⤵
                                          PID:1792
                                          • C:\Windows\SysWOW64\takeown.exe
                                            takeown /f C:\Windows\System32\LogonUI.exe
                                            3⤵
                                            • Possible privilege escalation attempt
                                            • Modifies file permissions
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2928
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
                                          2⤵
                                            PID:4120
                                            • C:\Windows\SysWOW64\takeown.exe
                                              takeown /f C:\Windows\System32\lsass.exe
                                              3⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:396
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
                                            2⤵
                                              PID:1452
                                              • C:\Windows\SysWOW64\takeown.exe
                                                takeown /f C:\Windows\System32\services.exe
                                                3⤵
                                                • Possible privilege escalation attempt
                                                • Modifies file permissions
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3524
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
                                              2⤵
                                                PID:2424
                                                • C:\Windows\SysWOW64\takeown.exe
                                                  takeown /f C:\Windows\System32\winlogon.exe
                                                  3⤵
                                                  • Possible privilege escalation attempt
                                                  • Modifies file permissions
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4480
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
                                                2⤵
                                                  PID:1480
                                                  • C:\Windows\SysWOW64\takeown.exe
                                                    takeown /f C:\Windows\System32\winload.efi
                                                    3⤵
                                                    • Possible privilege escalation attempt
                                                    • Modifies file permissions
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1788
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
                                                  2⤵
                                                    PID:3332
                                                    • C:\Windows\SysWOW64\takeown.exe
                                                      takeown /f C:\Windows\System32\winload.exe
                                                      3⤵
                                                      • Possible privilege escalation attempt
                                                      • Modifies file permissions
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1464
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
                                                    2⤵
                                                      PID:660
                                                      • C:\Windows\SysWOW64\takeown.exe
                                                        takeown /f C:\Windows\System32\ntoskrnl.exe
                                                        3⤵
                                                        • Possible privilege escalation attempt
                                                        • Modifies file permissions
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3220
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
                                                      2⤵
                                                        PID:3480
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          takeown /f C:\Windows\System32\svchost.exe
                                                          3⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4896
                                                        • C:\Windows\SysWOW64\icacls.exe
                                                          icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
                                                          3⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          PID:2868
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit
                                                        2⤵
                                                          PID:2304
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            takeown /f C:\Windows\System32\drivers\afunix.sys
                                                            3⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4512
                                                          • C:\Windows\SysWOW64\icacls.exe
                                                            icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"
                                                            3⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            PID:1672
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit
                                                          2⤵
                                                            PID:3128
                                                            • C:\Windows\SysWOW64\takeown.exe
                                                              takeown /f C:\Windows\System32\drivers\gm.dls
                                                              3⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:5004
                                                            • C:\Windows\SysWOW64\icacls.exe
                                                              icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"
                                                              3⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              PID:2696
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit
                                                            2⤵
                                                              PID:2024
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                takeown /f C:\Windows\System32\drivers\gmreadme.txt
                                                                3⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2292
                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"
                                                                3⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                PID:2612
                                                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                                            1⤵
                                                            • Modifies registry class
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3836
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                                                            1⤵
                                                            • Enumerates system info in registry
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            PID:492
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9119b3cb8,0x7ff9119b3cc8,0x7ff9119b3cd8
                                                              2⤵
                                                                PID:3964
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
                                                                2⤵
                                                                  PID:4600
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
                                                                  2⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:4516
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
                                                                  2⤵
                                                                    PID:4024
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
                                                                    2⤵
                                                                      PID:1360
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
                                                                      2⤵
                                                                        PID:4588
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
                                                                        2⤵
                                                                          PID:4316
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
                                                                          2⤵
                                                                            PID:2492
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
                                                                            2⤵
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:2668
                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                          1⤵
                                                                            PID:3288
                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                            1⤵
                                                                              PID:1540
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                              1⤵
                                                                                PID:4528
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                  2⤵
                                                                                  • Checks processor information in registry
                                                                                  • Modifies registry class
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:5068
                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.0.347786694\2062407478" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfbbe9da-3400-4eb8-a522-fb0dd7169c0f} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 1900 149ed4d8558 gpu
                                                                                    3⤵
                                                                                      PID:1400
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.1.538947283\812777722" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2271e683-bfde-4ace-ade1-e8b4e169fbfb} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2280 149e14e4d58 socket
                                                                                      3⤵
                                                                                      • Checks processor information in registry
                                                                                      PID:3580
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.2.2109894652\1464264661" -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 3172 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f0702c-4b0c-45d9-8b62-96faa965415a} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3252 149ed45ed58 tab
                                                                                      3⤵
                                                                                        PID:648
                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.3.545302048\397580022" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea672c5-64d3-4a64-bace-aa68cae9bf50} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2820 149e1462858 tab
                                                                                        3⤵
                                                                                          PID:4316
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.4.135781728\1647966276" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0b18a1a-47ef-4341-a150-49bb54e421a5} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 4216 149f37dda58 tab
                                                                                          3⤵
                                                                                            PID:5044
                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.5.1518743565\1828414592" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5072 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f6188e6-c589-4748-ad63-e5b8c215b56c} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5088 149f4954658 tab
                                                                                            3⤵
                                                                                              PID:2336
                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.6.1218738732\2130217779" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba2cbc83-24b0-4295-8074-be589a8c4eaa} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5160 149f4b71158 tab
                                                                                              3⤵
                                                                                                PID:2304
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.7.822328114\1804542312" -childID 6 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7f5e6e4-c803-4c9f-b82c-641e68706901} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5352 149f4b71a58 tab
                                                                                                3⤵
                                                                                                  PID:1360
                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.8.2111489437\443013592" -childID 7 -isForBrowser -prefsHandle 1624 -prefMapHandle 1640 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0561dcf-8c50-4de2-9f65-67a98efeeb51} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3440 149f60bb558 tab
                                                                                                  3⤵
                                                                                                    PID:3540

                                                                                              Network

                                                                                              MITRE ATT&CK Enterprise v15

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                Filesize

                                                                                                152B

                                                                                                MD5

                                                                                                0e10a8550dceecf34b33a98b85d5fa0b

                                                                                                SHA1

                                                                                                357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

                                                                                                SHA256

                                                                                                5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

                                                                                                SHA512

                                                                                                fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                Filesize

                                                                                                152B

                                                                                                MD5

                                                                                                3b1e59e67b947d63336fe9c8a1a5cebc

                                                                                                SHA1

                                                                                                5dc7146555c05d8eb1c9680b1b5c98537dd19b91

                                                                                                SHA256

                                                                                                7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

                                                                                                SHA512

                                                                                                2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                Filesize

                                                                                                5KB

                                                                                                MD5

                                                                                                638c4c56f9cdc590ae5ed62c1ffb3546

                                                                                                SHA1

                                                                                                daf02be74975ffb2bd7e1f0519d882daa1b7fccb

                                                                                                SHA256

                                                                                                055b8fec099f4756b698b8a20dbb672e196be0d28292a2449fff35dc94f6889b

                                                                                                SHA512

                                                                                                395072bd2b989cc4cf28912ef9346cb7fc36252c66ee895d8ccbfa8b6ab8d822e5898d71ec2053e30d093190c19a6ff8c43380ac48932f48e1c87cb871d29419

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                Filesize

                                                                                                5KB

                                                                                                MD5

                                                                                                c3b6ba2e415388ba6e5d9bfe53b3f806

                                                                                                SHA1

                                                                                                5ab26546d0962ccea7deaf61e408b4b5f91fd7ee

                                                                                                SHA256

                                                                                                ad381c03527352e8116e3866e3f3eb25c2ff9de2e7ada0768ba93a696a9a8a03

                                                                                                SHA512

                                                                                                6eec719255283ec81232394bf403233b2ef92ae2283634f34172e59bbc74a7b3b281d781de38acbc82d7c96645fbc4d6ad0a2d01a68968abc4ff213e01f6deb4

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                Filesize

                                                                                                11KB

                                                                                                MD5

                                                                                                86b1f0ac37252d1acc375a3e31bead4c

                                                                                                SHA1

                                                                                                5d1d7fcea50bcf3b7c7929f0fa899d47dd116789

                                                                                                SHA256

                                                                                                4539ed65c2fc46f1dba700544e6e3d32181036437ebe7977e76603485859dce7

                                                                                                SHA512

                                                                                                a30f7d057c5bb6de6f5d6ccecac8ab54be2bda87a0c20d30ca719116a37ea92f3268e557cec1997c87fbe73a07225b9ca2f64483eb18b56c45ff75431a5267eb

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                                                                                Filesize

                                                                                                264KB

                                                                                                MD5

                                                                                                f50f89a0a91564d0b8a211f8921aa7de

                                                                                                SHA1

                                                                                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                                SHA256

                                                                                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                                SHA512

                                                                                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0zk78kq5.default-release\cache2\doomed\13867

                                                                                                Filesize

                                                                                                10KB

                                                                                                MD5

                                                                                                05ce3f2822db3b2067aa653e518f4023

                                                                                                SHA1

                                                                                                26efe3d058a09a490cf8dab02286cf9b19dfe0cb

                                                                                                SHA256

                                                                                                d28c55630f6bc45bc55894086ffed92b9a1210d5a55a8b9cdf95af5961c18b4e

                                                                                                SHA512

                                                                                                b8bd71f9c3594c39d2e90fcbe6ab194bcff0536463535143c9072e6b5d007797881ad838286c2ad644f880c665bbb07e7535b2db50c6865e0d422f022bdae475

                                                                                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                                                                                Filesize

                                                                                                10KB

                                                                                                MD5

                                                                                                82678367fa4297a26727ccc84e0b2f60

                                                                                                SHA1

                                                                                                0c65ab90390566f7d2f5b4751b9027f6bac1d22a

                                                                                                SHA256

                                                                                                fbf7356b28e05edc871dda40b318b147e6d07ece028da3d67c3cfbd30bfa0f29

                                                                                                SHA512

                                                                                                e5474444eecac25a06fe26a22dce9aa9311740dca264de1c824a36a7bc55216f301e934667fe0b9c3c7b062694f8a37e45ecce6b3889cb33bb47ecb9bd198db5

                                                                                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                                                                                Filesize

                                                                                                10KB

                                                                                                MD5

                                                                                                28d32a16ce87d488acc7632092f7d566

                                                                                                SHA1

                                                                                                325dd247e49113dd987531ffe7ca26c22ce08c31

                                                                                                SHA256

                                                                                                ba6d4f09117c098bd27508a14d44822f13399ebe16d5d2539ad2844157fa4907

                                                                                                SHA512

                                                                                                8159021f9d0e28d370faddf7fa41aa9d4bdf7a1aee71779706e43c30486526a0636568d8f90c580da543f8393f546090f71f87382f99e3e0a2b227b04670af57

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\db\data.safe.bin

                                                                                                Filesize

                                                                                                2KB

                                                                                                MD5

                                                                                                e834f7889fe05055ad5e05bbf08473c7

                                                                                                SHA1

                                                                                                36e170ef95c5b8ed9436788ed4d48dc5c631d4d0

                                                                                                SHA256

                                                                                                1ebccc8f58d5929aa02fa9f39a74ffd53bada39b8801cc8cd17e80a637a1a2bf

                                                                                                SHA512

                                                                                                6e5caec61adc548162766e87b06578b97d152e093ada312d0eda1fb938be1455a206887bf5eb780353a3aa33ab8b62262c6ac4ccb5836e797ff13c6cd36e1c01

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\2010c100-bb7a-4db4-8d05-82a98c2d4446

                                                                                                Filesize

                                                                                                10KB

                                                                                                MD5

                                                                                                fbe36eb9cfbfdd3971c179d706cb792a

                                                                                                SHA1

                                                                                                1053a81bcfecb6f380e066b9e8495b2cf692f953

                                                                                                SHA256

                                                                                                6dfbd1047811b41c3707f8253d7d8e05410bd9566a3d37f29ea8aadf18baba42

                                                                                                SHA512

                                                                                                098fb058fc47b01e8cc942b4f98853b9cabaa828b66188ee525b6b18d8ab801f65f99b4b9cdf9083c71062a303f3a11176307d3b064b384b27a25a4432b56ab9

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\9026a33c-0af5-4761-bbb5-3984e1f4b763

                                                                                                Filesize

                                                                                                746B

                                                                                                MD5

                                                                                                8324a4179593ff6fe6eb1d82e8f9c732

                                                                                                SHA1

                                                                                                2a90abd9e6cba934c0db47ae790fbc73dcc13947

                                                                                                SHA256

                                                                                                2ee4aacc66e522c39d2026451ab289ba8b94ff7d251c0aed4c54c94291296188

                                                                                                SHA512

                                                                                                2a182ea85761973ec90a12bd60d072227e38f658bb4ec36fb79d832d7204bf4a7b5051011ee34bfe6bd4a3fa6829809ad0a3c677f0876a820d0bf6e33e3c2bf2

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js

                                                                                                Filesize

                                                                                                6KB

                                                                                                MD5

                                                                                                a80bb1c098c7cfe25a3c7715aaa54f25

                                                                                                SHA1

                                                                                                9730ddb28ca57f331db27c9833be1916d036f225

                                                                                                SHA256

                                                                                                2f345282834425abd4995c02d6957c8495dd6853b61ed1aab9209f28564a84e2

                                                                                                SHA512

                                                                                                7b23cffb764056fb74091f733a94c4f8e08af0e7d52bab4aafdcf581fd7beeb03638154cf9d26a81acbc743c54d0e832063036f2c4d88003e9d8911925e5c627

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js

                                                                                                Filesize

                                                                                                6KB

                                                                                                MD5

                                                                                                4c703980a7c2c9230d9828ad80360c91

                                                                                                SHA1

                                                                                                8fdbdfe9f31ea3c2563678ef95a803b032b13b69

                                                                                                SHA256

                                                                                                ef1ed6eb604f4b4ad48d548b8bbfeaa6540e1ca613fbc641ee889d246aafc6ff

                                                                                                SHA512

                                                                                                e8be2ff1dbe8bb63bb187a9b9aafc6f4ffa67e9e36d4ca61a173c8062a7ae492d7cd160e9004f34c17eb8250f50089ccb0c4f526bdef1f10acde1e9ef6bc14e3

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                Filesize

                                                                                                4KB

                                                                                                MD5

                                                                                                5a24159e5d0ba5a01cebf63b5be9a9a6

                                                                                                SHA1

                                                                                                ebd152365478f55b651cf712ae168b2797aac270

                                                                                                SHA256

                                                                                                bf0da9d90af0c7a8879e0bf5af5ba883dc296b756b69285fd8f1b6f220efcccb

                                                                                                SHA512

                                                                                                7234fbaa3d7c4db460499d5f0cc5a3d7961045fc56e1e5e3e83df998a5c2849fdf5c8b10a728269baacb9f4252ef343274053fe42942f26d351b9cb213adf2e9

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                Filesize

                                                                                                3KB

                                                                                                MD5

                                                                                                534adf05e3389a2ef33647de3d329dd0

                                                                                                SHA1

                                                                                                f3d29efc3d16ab4b6bf0d8074e53bd6d697ae67c

                                                                                                SHA256

                                                                                                59162b4720a1cc4bd837f020e3d8d623a4bfb65eb4a354b628391fbca1ad237c

                                                                                                SHA512

                                                                                                b44c2b3390a2ef8926b87955660a1af585a6e7640cf037fb0032334dd24888a9b85fb77943f61913ac43142ee05bd6b710ba96ba6359c061da92a8f51d48697e

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                Filesize

                                                                                                4KB

                                                                                                MD5

                                                                                                b6eaef0cddec58d987415e65845fe88a

                                                                                                SHA1

                                                                                                e16660c7b3dd184efd964fb2ec0fd829fb36bf29

                                                                                                SHA256

                                                                                                65e3459967d1506a2de1f078548d393a381592fc46a47a0debd59bd9202175d2

                                                                                                SHA512

                                                                                                8e2d28b88b3e7bce06017ab573245c4e201abed8b96c52792101f0095dd28d00a03cd070d16fdfdcf5371a70179926eb86ab29a250f2184b1e191cf057f85858

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore.jsonlz4

                                                                                                Filesize

                                                                                                5KB

                                                                                                MD5

                                                                                                b9547f2df4b69f6166d0a4a9b8988686

                                                                                                SHA1

                                                                                                7d9faee812cf23ab32344dae4db3d8e751a45f33

                                                                                                SHA256

                                                                                                286420c37c359493d336675b9c33a04b720a4a6789988ceb9a52967dc1b5f1a0

                                                                                                SHA512

                                                                                                143aba9884b6bf41175b7052e420b2fe41938cb21e8de40ab5e2e42ecf42248a361a098acd2f24b83b00a581dad7d0c5d3eab32cf75f5c0d8fe3592b36cafcd9

                                                                                              • C:\Users\Admin\Desktop\¤≈£Çõœ♫ε9ø↑▀6↑6◘£◄◙◄◘—♪╤╥£ÿ▌♪½8↑♠╠○ÿ±¬ÿ○▲Σ¤╬œ■♣Ÿõ◙éß1▬™¥▐○č☻ÿ♣õφ▲☼å♥žž®▀ñ√█ěš¥µ∩1«☻♂óæ∩►╬9╠č■♦∞♪◄Ç◘9

                                                                                                Filesize

                                                                                                666B

                                                                                                MD5

                                                                                                9e1e5883c74742a497cf5c272ccd2321

                                                                                                SHA1

                                                                                                2cf33e34d08b8e17743a60352baffef4b6f02dee

                                                                                                SHA256

                                                                                                ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a

                                                                                                SHA512

                                                                                                f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

                                                                                              • \??\pipe\LOCAL\crashpad_492_TBJNJHVEJIUHCBRM

                                                                                                MD5

                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                SHA1

                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                SHA256

                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                SHA512

                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                              • memory/3144-360-0x0000000074D10000-0x00000000754C1000-memory.dmp

                                                                                                Filesize

                                                                                                7.7MB

                                                                                              • memory/3144-427-0x0000000005730000-0x0000000005740000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                              • memory/3144-2-0x0000000005370000-0x0000000005402000-memory.dmp

                                                                                                Filesize

                                                                                                584KB

                                                                                              • memory/3144-3-0x00000000059C0000-0x0000000005F66000-memory.dmp

                                                                                                Filesize

                                                                                                5.6MB

                                                                                              • memory/3144-4-0x0000000005730000-0x0000000005740000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                              • memory/3144-1-0x0000000074D10000-0x00000000754C1000-memory.dmp

                                                                                                Filesize

                                                                                                7.7MB

                                                                                              • memory/3144-329-0x0000000006670000-0x000000000667A000-memory.dmp

                                                                                                Filesize

                                                                                                40KB

                                                                                              • memory/3144-0-0x00000000008D0000-0x000000000092C000-memory.dmp

                                                                                                Filesize

                                                                                                368KB