amadey | 5afc4625af5403804548acde6ca926ce8a9be0a774e837c8617ec716c78a98a5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe
Size

1.5MB
MD5

3b58f52654cf24ceac5a682fedf56ea6
SHA1

4e012ff7eed34f394136e4490f7bc281613f84fd
SHA256

df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c
SHA512

bbcf48c981fdc8b9019a8388ebc7179474ee9896003431f04f1d978078837a06c22335458a0fd782683afbfff4a06dffa17f09e71513fdaf34e0872597461f22
SSDEEP

49152:CdCs0UvZJ3HkXkf+/1ZvY1qaKidaHjskUWQP7RQ:Vs0UvZJtf6qdaH5SP7

Score

10^/10

amadey dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Mystic stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/952-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/952-48-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/952-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/952-51-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4940-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Tc5kJ4.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	5Tc5kJ4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 16 IoCs

Processes:

ab2Gu05.exexR0ra48.exegR4rB18.exeEJ9sY61.exeeH5es48.exe1jQ62EW9.exe2bu2715.exe3Ay80kJ.exe4HZ757cf.exe5Tc5kJ4.exeexplothe.exe6Di5ea1.exe7RH4ca26.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
4700	ab2Gu05.exe
372	xR0ra48.exe
4960	gR4rB18.exe
4164	EJ9sY61.exe
4512	eH5es48.exe
876	1jQ62EW9.exe
2708	2bu2715.exe
4264	3Ay80kJ.exe
4976	4HZ757cf.exe
2388	5Tc5kJ4.exe
4204	explothe.exe
4456	6Di5ea1.exe
3628	7RH4ca26.exe
3124	explothe.exe
5296	explothe.exe
6096	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exeab2Gu05.exexR0ra48.exegR4rB18.exeEJ9sY61.exeeH5es48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ab2Gu05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xR0ra48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gR4rB18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	EJ9sY61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	eH5es48.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1jQ62EW9.exe2bu2715.exe4HZ757cf.exe

description	pid	process	target process
PID 876 set thread context of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 2708 set thread context of 952	2708	2bu2715.exe	AppLaunch.exe
PID 4976 set thread context of 4940	4976	4HZ757cf.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5100	876	WerFault.exe	1jQ62EW9.exe
3648	2708	WerFault.exe	2bu2715.exe
1632	952	WerFault.exe	AppLaunch.exe
4888	4976	WerFault.exe	4HZ757cf.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Ay80kJ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ay80kJ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ay80kJ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ay80kJ.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2404 schtasks.exe

pid	process
2404	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3Ay80kJ.exeAppLaunch.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
4264	3Ay80kJ.exe
4264	3Ay80kJ.exe
4464	AppLaunch.exe
4464	AppLaunch.exe
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
4164	msedge.exe
4164	msedge.exe
3508
3508
3508
3508
1624	msedge.exe
1624	msedge.exe
4792	msedge.exe
4792	msedge.exe
3508
3508
3508
3508
3508
3508
4992	msedge.exe
4992	msedge.exe
3508
3508
3508
3508

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3Ay80kJ.exe

pid process

4264 3Ay80kJ.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4792 msedge.exe
4792 msedge.exe
4792 msedge.exe
4792 msedge.exe
4792 msedge.exe
4792 msedge.exe
4792 msedge.exe
4792 msedge.exe
4792 msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4464	AppLaunch.exe
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3508

pid	process
3508

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exeab2Gu05.exexR0ra48.exegR4rB18.exeEJ9sY61.exeeH5es48.exe1jQ62EW9.exe2bu2715.exe4HZ757cf.exe5Tc5kJ4.exe

description	pid	process	target process
PID 2064 wrote to memory of 4700	2064	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe	ab2Gu05.exe
PID 2064 wrote to memory of 4700	2064	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe	ab2Gu05.exe
PID 2064 wrote to memory of 4700	2064	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe	ab2Gu05.exe
PID 4700 wrote to memory of 372	4700	ab2Gu05.exe	xR0ra48.exe
PID 4700 wrote to memory of 372	4700	ab2Gu05.exe	xR0ra48.exe
PID 4700 wrote to memory of 372	4700	ab2Gu05.exe	xR0ra48.exe
PID 372 wrote to memory of 4960	372	xR0ra48.exe	gR4rB18.exe
PID 372 wrote to memory of 4960	372	xR0ra48.exe	gR4rB18.exe
PID 372 wrote to memory of 4960	372	xR0ra48.exe	gR4rB18.exe
PID 4960 wrote to memory of 4164	4960	gR4rB18.exe	EJ9sY61.exe
PID 4960 wrote to memory of 4164	4960	gR4rB18.exe	EJ9sY61.exe
PID 4960 wrote to memory of 4164	4960	gR4rB18.exe	EJ9sY61.exe
PID 4164 wrote to memory of 4512	4164	EJ9sY61.exe	eH5es48.exe
PID 4164 wrote to memory of 4512	4164	EJ9sY61.exe	eH5es48.exe
PID 4164 wrote to memory of 4512	4164	EJ9sY61.exe	eH5es48.exe
PID 4512 wrote to memory of 876	4512	eH5es48.exe	1jQ62EW9.exe
PID 4512 wrote to memory of 876	4512	eH5es48.exe	1jQ62EW9.exe
PID 4512 wrote to memory of 876	4512	eH5es48.exe	1jQ62EW9.exe
PID 876 wrote to memory of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 876 wrote to memory of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 876 wrote to memory of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 876 wrote to memory of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 876 wrote to memory of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 876 wrote to memory of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 876 wrote to memory of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 876 wrote to memory of 4464	876	1jQ62EW9.exe	AppLaunch.exe
PID 4512 wrote to memory of 2708	4512	eH5es48.exe	2bu2715.exe
PID 4512 wrote to memory of 2708	4512	eH5es48.exe	2bu2715.exe
PID 4512 wrote to memory of 2708	4512	eH5es48.exe	2bu2715.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 2708 wrote to memory of 952	2708	2bu2715.exe	AppLaunch.exe
PID 4164 wrote to memory of 4264	4164	EJ9sY61.exe	3Ay80kJ.exe
PID 4164 wrote to memory of 4264	4164	EJ9sY61.exe	3Ay80kJ.exe
PID 4164 wrote to memory of 4264	4164	EJ9sY61.exe	3Ay80kJ.exe
PID 4960 wrote to memory of 4976	4960	gR4rB18.exe	4HZ757cf.exe
PID 4960 wrote to memory of 4976	4960	gR4rB18.exe	4HZ757cf.exe
PID 4960 wrote to memory of 4976	4960	gR4rB18.exe	4HZ757cf.exe
PID 4976 wrote to memory of 4940	4976	4HZ757cf.exe	AppLaunch.exe
PID 4976 wrote to memory of 4940	4976	4HZ757cf.exe	AppLaunch.exe
PID 4976 wrote to memory of 4940	4976	4HZ757cf.exe	AppLaunch.exe
PID 4976 wrote to memory of 4940	4976	4HZ757cf.exe	AppLaunch.exe
PID 4976 wrote to memory of 4940	4976	4HZ757cf.exe	AppLaunch.exe
PID 4976 wrote to memory of 4940	4976	4HZ757cf.exe	AppLaunch.exe
PID 4976 wrote to memory of 4940	4976	4HZ757cf.exe	AppLaunch.exe
PID 4976 wrote to memory of 4940	4976	4HZ757cf.exe	AppLaunch.exe
PID 372 wrote to memory of 2388	372	xR0ra48.exe	5Tc5kJ4.exe
PID 372 wrote to memory of 2388	372	xR0ra48.exe	5Tc5kJ4.exe
PID 372 wrote to memory of 2388	372	xR0ra48.exe	5Tc5kJ4.exe
PID 2388 wrote to memory of 4204	2388	5Tc5kJ4.exe	explothe.exe
PID 2388 wrote to memory of 4204	2388	5Tc5kJ4.exe	explothe.exe
PID 2388 wrote to memory of 4204	2388	5Tc5kJ4.exe	explothe.exe
PID 4700 wrote to memory of 4456	4700	ab2Gu05.exe	6Di5ea1.exe
PID 4700 wrote to memory of 4456	4700	ab2Gu05.exe	6Di5ea1.exe
PID 4700 wrote to memory of 4456	4700	ab2Gu05.exe	6Di5ea1.exe
PID 2064 wrote to memory of 3628	2064	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe	7RH4ca26.exe
PID 2064 wrote to memory of 3628	2064	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe	7RH4ca26.exe

C:\Users\Admin\AppData\Local\Temp\df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe
"C:\Users\Admin\AppData\Local\Temp\df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 588
        8⤵
        Program crash
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 540
        9⤵
        Program crash
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 612
        8⤵
        Program crash
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 584
        6⤵
        Program crash
        
        PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4204
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2404
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:2368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe
    3⤵
    - Executes dropped EXE
    PID:4456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4A76.tmp\4A77.tmp\4A78.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe"
    3⤵
    PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffdc54946f8,0x7ffdc5494708,0x7ffdc5494718
        5⤵
        
        PID:1224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8464394576591200258,3912340075654944157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        5⤵
        
        PID:4628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8464394576591200258,3912340075654944157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffdc54946f8,0x7ffdc5494708,0x7ffdc5494718
        5⤵
        
        PID:1568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
        5⤵
        
        PID:1532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
        5⤵
        
        PID:4976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:3728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        5⤵
        
        PID:1808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
        5⤵
        
        PID:1408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
        5⤵
        
        PID:4172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
        5⤵
        
        PID:780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 /prefetch:8
        5⤵
        
        PID:6068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
        5⤵
        
        PID:5132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
        5⤵
        
        PID:5320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
        5⤵
        
        PID:3556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
        5⤵
        
        PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
        5⤵
        
        PID:5556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
        5⤵
        
        PID:5564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5840 /prefetch:2
        5⤵
        
        PID:5956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:5112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffdc54946f8,0x7ffdc5494708,0x7ffdc5494718
        5⤵
        
        PID:4344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,18165509693370091018,1229602589578352036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 876 -ip 876
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2708 -ip 2708
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 952 -ip 952
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4976 -ip 4976
1⤵
PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5296

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
964f17883288fac96402098da063ba47

SHA1
fbfa856949e464b4fb9b7c20cd3dee16686a75cb

SHA256
f0eb5a246aede83e799d65d5a7616ddf63d9dc473c6d82f22ea5513aece1d2cb

SHA512
603fdfe59a9b8fcfb1e60f1ab9cb2b743edc678da6f6c6f50c800e715c4281b1314f2d21690e4d38774ba113eeb807b942b25c8f6c8ccf54f1a3bf9e74d0cf94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ecb9c30af4687571e2705e41772812f7

SHA1
a390fedfd6cff3d7a18fb2b17820fcfcaa39ac58

SHA256
317a85d5a5ab17429e781e64ddfa876533e82f12f53a243976b71135ac01023a

SHA512
e62b7f66fdb08ab8cdd11477dab469b4838be716f8cc55dd36eecb828f485df4af2cbec127adf371cf85839f79c7ab363d4963fc6202a309769ee3db3b332bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fb72a68135c93ab44421dc460d28712c

SHA1
2b850bd50a1ccbe68fb9c83d3e5e2549ece486d1

SHA256
fe8ae13dab902355415b5196a3ab111c167df669cfe5d004c7eba0e64b383a85

SHA512
004af2015c9410c14468da2f9b443c5fbd24391dcba39337c33ab738b9b07c31407901e56c6f01e86bcb77991a0e7837bfed01b21d3edada6060c660b4d40143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a59a229ba320dc791036ff52ea43de0f

SHA1
dd6aedd7073f5418f6ed059b58fbe664324fb6e4

SHA256
4e162235a745a00f0b817f0506e52ea7f9524b6308d9da1fb210510d48e6c058

SHA512
0432ef122636fd2d2ba21ded7829ce8f4d91d40b8aaf04301f902bce6560153077cd4ca8aa4c0e375a3dc001725897fa956d616c89365c44375d735be7358ae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d0e9e410e994a96bb3c35587dbd7d213

SHA1
33ac34cb769e6d3895e27f27d7805dd112e46f60

SHA256
4fd1fa505fcc30043def1096a421437d67288d6884b491bb77df01214a095319

SHA512
010b7ee48c60de3e8d2edfdc07c807cf88840e7aa21343bd7eab8a7f422ed8e2672502e15a4cdb6e0c1a9083204327de66214218b953cdef67dbd38905c239eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
14e592e6104478ee4851b31d8060ce4b

SHA1
b3c12bc4ba37542ff92a8281e4e60f1317b7cacc

SHA256
1ff93c966c842ac88412691bb5d49f0ae63dc7749c4fb80fc9ea5999a08497ee

SHA512
17e574dcadb2e3c1355c43188c03ad70882271d48964f7392229b03f3d74defc4fd2f14b36c587a76e393f9e089a227450fedb96adf25028883feabacc7448ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
88a963d7f3849e0e1d728c1af1b70db2

SHA1
da3fff86a3d8b56293e321201eb45f7ca3938372

SHA256
c52aded6dfd5a30394f13d1946d43b6a51b9c51b36265dcaeab860c49f2e5da2

SHA512
85d84f7469f25ecdae8be98c7c3e3ef19b3d55f03f472573087dad623b526941afa1c13c6e927de2fbaff9753c17bb3332664ad054f93a965102e5e996ad62f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
76a123011a383e26d7b7ad42278e5117

SHA1
23984f54906d5a652d98664e6837edc718a432ef

SHA256
b232d0fd14f9e1f693c9e9993469e0e0464103e699376321c588d476e1b05fb9

SHA512
9348433af02c94ba86a874a7670aa9713c030a6876e14b73a93037fed431b516f867074b889c7b9a58dfbcf4b966d9bb9fd2c01f57ee595ff56bddf332930321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9103a2ff303d96086b4127a540b0d0ca

SHA1
44b6466acf4bcd74bbb89da05b24ef5bb8e3c208

SHA256
20ec70e5401d2a99985bf2d4fa8d1f7bd9b5d17ef6f6418ebf57a2eef6db0434

SHA512
4fd59f585570595fcbc196bf10aa93b2b487c6862a05fce31b37eb2dbf397e0cb67c35ca1e500e399e081ad79e1bbd7155308f25aeea4a74af856e641e445930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b640.TMP

Filesize
48B

MD5
acdaa64333bbcef60ca656f3d1cb4aa1

SHA1
153de06628b22a30c09f228ab0685f69dd67ad2c

SHA256
515541b54f1786b83e90ada2aa2b67c5b56232431d85151c3f7b1cba9537613f

SHA512
9eb951bc4067503ac17301a2ce148cf368134251a2fdc767368dad6c31a333ca2eca3201c6ded5b80e50c4594271e3a9b181aa6751b1fd15c84fbca6545623a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63f37f940c269f27a8737f270113a3c9

SHA1
d5dbffb3027b733c11776102ed07cbe19eb45410

SHA256
ecca2680bda7b6747762e457d9b109b8362214689f262d24f7136bb130d81c84

SHA512
e02316df8e4266122194cc03f6cccd6fff2743881d7d22a4aee9f1a3092baec151bc0bccc8892d9316a82d9910dc1d76d4aa2e291e5939bae3e63826fc1d570e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63d686801371609251ed678d9b5e9ba0

SHA1
860d410c518a4bb10ffbb609348bd4486d6e0c1e

SHA256
5e672af11138fb328c34bd3499a4620d9bbf6cd509aae49dd604bcb6548440e7

SHA512
e406e0fb5cba9ac25697d86f8f9d5d8320dda78f17c3e93a0a8a33a52bf597cb2fc6031bfe904b39923585aebed5e557e6b81da371db417240fb7d06a4f5131d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d0cc3fee8e3407659391c44950122ca

SHA1
ec814c92ed993c925f556ec869781b17f3709f39

SHA256
b9f7cc834a5a2ad556392e48432578bd3a2725b67e783899e9a8c85ba8b15146

SHA512
b9498d82d4a1291cd9f37416eba3909e918bfabfa15b502a1f33204efa27aceb915944211a1da5e6462c2fa3aa5052b331e7fc91e24c9533b59ac913dfe63753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57add4.TMP

Filesize
1KB

MD5
c77687ad47d20808c0b9719a1233e2bd

SHA1
bac97ee8d3df00a1a4530ad82008919d1ca9e607

SHA256
0b73a3ad3557445a974c4e0f38ca5115ce5299ea477d579f521ad8f58d4f48d2

SHA512
0ac9dd261b1793223fd58fccc7a07fc24f8e233f0a851e410c866469c8f7d7d0c2ecc927053adbebd7755a9842e86f4cd8d277673218921423aa3a540392e453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
774330dd1457999dedffd26ca7a1fdd8

SHA1
36c350b2cfcf2bf17b87310658d78339d8d159ba

SHA256
539067fb490494b75a014bd586254ec0d966869928a315528a9a6ff3e7eed20d

SHA512
88b5374bbe5b88a194453c6338380f42ba091dac22dffdf1708e1a6c3d8436005e8baae428a4ee44f2f6dc4d5e153e65e6542afe875d3b4dc2b451c18efc85c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
dc08509ec010feaa0039dd0efa000fbe

SHA1
f58941a637a89ad480853072908bd5f00471146c

SHA256
e3d33848d29439a29a95b3faae68959be643a321f427c0bbcd10675a37cbd1dc

SHA512
953f84f6a606760ed81197f1779f8836f8911330d039d14108e3c8e16cb593c52a6c28e02e0b483cfcfe34a18cafa7359b3215bf2c3d3debd7f0517c3ba5e81e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
94a0c2b8177e0c7645b91ac23b7d95a5

SHA1
aafdd88c3369f8821f637ccd1fd76a3d5f878cdb

SHA256
8c4cca1ae13eca9e97f280120eebbef84dfc596666c965f8ebcf3fef5652a214

SHA512
e540870282fb11499f45b89cc64256e65aca457fab840d61f490e8822947eb61fe46b8ba359fc4f34cb0c9407726861b63e6488a7f4dacc6be3f3ec0959b571d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A76.tmp\4A77.tmp\4A78.bat

Filesize
645B

MD5
376a9f688d0224a448db8acbf154f0dc

SHA1
4b36f19dc23654c9333289c37e454fe09ea28ab5

SHA256
7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a

SHA512
a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe

Filesize
89KB

MD5
19b35690fef22b53e35cb4620c110278

SHA1
40d0326f69fcb00feebb4837bd27438a704be293

SHA256
dbd44f7f9eb2d3b661b4cc1b29641771f18a0f1a799780fdaa692881e821b8c5

SHA512
37042b386e70d15b67059768f68c65713d34a8a244cfdb8bd66eaa3caaf0122d16a5ebb2d1630fa47a305c200463b4c2a2ea6dd8e87a9a6e3ed5f12ad641950f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exe

Filesize
1.4MB

MD5
72e03d75bf021a1e1c28ff695d055e65

SHA1
4bf5e85f2cea24d2ba29301752ead08f4e3335a6

SHA256
4e82df1cf92a65295b16dbc6970198ae671c24fac90a7f652d7537f191014917

SHA512
de178b3877e6e91be15e47dbe0ceab6e0516789c0e8bc518efc08ed9549e8e365a11275acd30c7d469c957bd15bf57f7acb7f10fe6dc417c070dc6a6bd754577

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe

Filesize
183KB

MD5
a74799b632685d03258b15358c504f6f

SHA1
4ecc07bfb9529bca4802624b3022f1f5c1bfb0e9

SHA256
55ce1354cdacb4dec0dc86e9f226811b03f9a6319e4081414150a4e430e9c6eb

SHA512
2343190d7aeb9441e4790ef280af0e3a0dbb7902b5b1a7d3f81aaca360af71807af004cdb53ab608cae6cc821d236aff758e3c217032495c5d96fa5161c15935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exe

Filesize
1.2MB

MD5
499e17320cf1e742f55e01f7eb92336b

SHA1
3fc2af18b4fdab29de2b69fd3ecda89c7d407e9a

SHA256
898bc6a3ee887af2d77e1d992a1f38c14e01fa69e89475a706b24e9d6a63e7b6

SHA512
67c26da5d5d6819d5a369a82ab6b8b7aa1b18d7fb7af7faa875392f0d0642551e815e22257680f6584ba528c0d720d40cc3aa21024bf6830942ee519c5669ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exe

Filesize
220KB

MD5
aa7cc12b3dde7d799e1183153155d888

SHA1
8f394a9bd8a8e228ab7295cebd3309096309da64

SHA256
ac667d2b3675379b1281d8c0f55314b363c58628b9d7144ec032df1c6331dc0b

SHA512
0f2dcc4004fb66ebe082f449bb848acb643ec6a34d0fb152cba49537e2a277cd45fe603202d81c2b79016500eae030cd59f0835461aee86a3fc89f928cd2cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exe

Filesize
1.0MB

MD5
5a68637c88b223f1fac3fb1c4ea1b538

SHA1
a655224147ecabbaf4d8bb2577156209b51fd9aa

SHA256
a5c6444cb47785f054f5b56131c7302dc491a3c6132b58790b8d31fd9837df16

SHA512
0df0c017d6d636a5ef348535968341f01fa7550eddf8ab3a3b45d65b7f5099ac9e5392134b2491ba861d68d0b4545b84dc8cef4af8931c41e9689e9b5014755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exe

Filesize
1.1MB

MD5
015e607043c90b874c79fbb8d90eca89

SHA1
ff203ebdc57402fc379f5ad5a08f2538b8f72dd5

SHA256
d07bfeccd987516ff3d4b1bc4ce077a883ffcd939f579a671d157fd2d4517ecb

SHA512
67c9f170ff8b52a254cdc029f7ccb88cb83219818c08115c8742cccaea0cc05eaacb4bd894ff76b995b55864fe85feb25df024c973bee8643f08897906168719

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exe

Filesize
652KB

MD5
e6e37e2474b5937c1a145f756f96215f

SHA1
4213fe56509f7abd595e50d30e4a73aacc64c9ab

SHA256
a20f06c5948ab7494affe351d0a576ac5740af4869dc6506ccd6a1500ab485a8

SHA512
0819e4326326e6c0f6f8fc96430e88be19caf87388faeeac8074cd4e417fb5e145f8ebb3538eab156783b0d59a0b8a1f307121cc9e631f998ffc12c6148ca738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exe

Filesize
30KB

MD5
bc03a784fd2017ef45b2a287e5cf2677

SHA1
34340ea6b35e566d0f2679da52b771d05502047b

SHA256
52f47ea7d168e7162ba6acac451627775216b7761ad85a5e72d8c274d5703f2f

SHA512
49fdbdb52ae19d4939b875b2884467376bc2d21e64e828ee69086d0b78d3fe447f0a719742d0d00038eb4d3ae00d47af7a1362483f43f22c5f97b9aadcb6d8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exe

Filesize
528KB

MD5
b4025db382bf54c40fe5db916e2cc818

SHA1
bbfe26d8397f215a1924530e2fb072d806dfa115

SHA256
afc4ef89b474589eac5a915c2d0d4581667b214fdf56c0169edb11b8998fc56e

SHA512
924deb510b622e7accb82eefaff33ac351b7a54e46ccc2945502cfe64f733e9d57bb3e6f2ff30884304808d01bd377b4c7a1406521f4c98e72071c7b3de8853f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exe

Filesize
890KB

MD5
327aa11b65c9cbe127902f2ec75fba02

SHA1
458538e3618da2f69566bf654a19a3aca30d29a2

SHA256
fd4b9ba15bdb3f4e55e650a648830320ba602ef2bdd0d3f7a793123460229a81

SHA512
d3d4162fab37875565500b773595bc643c3a073a3154fd894bb50db370a09195b97bc1d593d3c2b007c1276608dc47328e41cf81401fe1c8bcc91a6f15a599d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exe

Filesize
1.1MB

MD5
0ccf469c1d2932e86d4a8d0e076e0f1b

SHA1
f6dc4b3f9918e82cbf0e66de7240f5b2bfd5119f

SHA256
39f35aa3c665edd1a19a13d8e030e667399e917d4ac23f236609688b35755615

SHA512
ace2473b33424eb4f4cb1bb0110570fc35d95d1459f817646eec16bb333e9efa76aa3c467eff413c4f9531e1086bebbc7887bf8f2703dda13a7da0980029bf27

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/952-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-56-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/4264-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4264-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4464-43-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4464-186-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4464-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4940-66-0x0000000007BF0000-0x0000000007C82000-memory.dmp

Filesize
584KB

Download
memory/4940-378-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4940-379-0x0000000007E00000-0x0000000007E10000-memory.dmp

Filesize
64KB

Download
memory/4940-65-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/4940-82-0x0000000007F20000-0x000000000802A000-memory.dmp

Filesize
1.0MB

Download
memory/4940-64-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4940-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-67-0x0000000007E00000-0x0000000007E10000-memory.dmp

Filesize
64KB

Download
memory/4940-92-0x0000000007E90000-0x0000000007EDC000-memory.dmp

Filesize
304KB

Download
memory/4940-89-0x0000000007E50000-0x0000000007E8C000-memory.dmp

Filesize
240KB

Download
memory/4940-73-0x0000000003060000-0x000000000306A000-memory.dmp

Filesize
40KB

Download
memory/4940-86-0x0000000007DE0000-0x0000000007DF2000-memory.dmp

Filesize
72KB

Download
memory/4940-78-0x0000000008C70000-0x0000000009288000-memory.dmp

Filesize
6.1MB

Download