hxxp://google[.]com

Resubmissions

30/04/2024, 11:29

240430-nlqy3abb7w 4

30/04/2024, 10:42

30/04/2024, 10:33

30/04/2024, 10:27

30/04/2024, 10:22

Analysis

max time kernel
369s
max time network
367s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
30/04/2024, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133589468929211009"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	wwahost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdo = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt2.microsoft.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\Total = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt2.microsoft.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceh	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt.live.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "2"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\NumberOfSubdoma = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "124"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\account.live.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost = "1"	wwahost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt2.microsoft.com\ = "0"	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceh = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\account.live.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\account.live.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt2.microsoft.com\ = "40"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt.live.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt.live.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdo = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\account.live.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "124"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\Total = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt2.microsoft.com	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt.live.com	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\Total = "40"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "40"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\Total = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\NumberOfSu = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache	wwahost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3928	chrome.exe
3928	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4980	wwahost.exe
4980	wwahost.exe
4980	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 4324	3776	chrome.exe	80
PID 3776 wrote to memory of 4324	3776	chrome.exe	80
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 1016	3776	chrome.exe	81
PID 3776 wrote to memory of 2484	3776	chrome.exe	82
PID 3776 wrote to memory of 2484	3776	chrome.exe	82
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83
PID 3776 wrote to memory of 3540	3776	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97cdeab58,0x7ff97cdeab68,0x7ff97cdeab78
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:2
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2100 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4172 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=936 --field-trial-handle=1708,i,2643475692780223190,9671935027449266602,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1824

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3740

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4116

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3b1f0ffa9d29e25bb68d41a68a0d7463

SHA1
01805338b030d5c49b7ecac279a5473799b2f985

SHA256
836920d0c605ea846e8ad91a36bccd88d84e617fb272021936d0d0265c2742d9

SHA512
e79245d091893ead29d37212bec7487b12cec7d1c499f29aae6f780584cb505fe3d948505be895e7fd009211c6575e86ac6416e9eb9a762f9dce26a4d9bf54e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8cfc54baa8b3b28af69740b4904a3399

SHA1
36163f39d1e23b57debaf7aea652d7eeb8e8c5a6

SHA256
f93d08f5bdab217a7d3f369684bd276640ec77d7c68beeaa56f8a49709e240b8

SHA512
994725b64ffc75090d6c4db34d7cd924898482a2a093a737b177824d64c3c0df43f19347c937ff65502f5b688f7061b2764e1dd6c333fc7a5537d467501a3924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2d14e9e4130c8aa5f4d7de744f7a0165

SHA1
342f5df091a1c260fbe21ad75790f3e16da92fe6

SHA256
a713fc3d9ea98f365f789bfd713c5ac9258a9817158410e97b3860182c2ea154

SHA512
abe450971fd6c972b58bbeb6c3ed7e9a89d0a6488aafb4fb2e109a074a290a5d303d1b5a213ef67e7d2d157c1b7f1c3112e25e9a0b80c59309a56b23dcd441a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
540e09b2bbb758cc4174b2dfbe4c5ff2

SHA1
4824add292ac6ed01a9ce2b368529b6370adeaf0

SHA256
292577355eef03965efa45f009412212edfafa92ff347db19d55297866a1ba08

SHA512
6ef5b750d4038ef355fc5b672cd4707655a8692b41100fd65c3b6a2f6acf068b090ad5c51eca94e3ec5fd39e18a4168ea30ef16ae6feb6a916bc762cc4b1d294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d04a34548fcdf57a813eccd730cef19d

SHA1
40187012448b0f368260e47340ab6c48605fae6b

SHA256
8a0319c774ade4f0e20a7a30bfffb6facf2a8d4d558eebdf49b11337a0865ebc

SHA512
4887cf0534a26c489d27540aafaa531717c0ca77d72d8190be910267f017317869c6dc1ae58975d251439da6f1bc64ad0c977655b1f5acd249aff1959ca411b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1b4f1610ebd6f094efb20399910c35e4

SHA1
7369de084d31fa0beffce15e1fba506f1569b192

SHA256
000cc4ca54c4c41dabefa27a09bee2e7f057b2d9466c50f9dccfd0be4c0b8b9c

SHA512
3d401a616a6bf6ffc2a53eacd91dc53451bba94397e2f97e92c34fb55501c21bd82a0db53caa7124abd0b68a3bb335476750968232f33ad0cb760887be195f97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
7f3cc146edcf4b83fb49916664a0e3c1

SHA1
076443d29decdfe714207fe7adf8ad8cf3226a45

SHA256
637159d52cdf93237df48d12617764f25a0204b9d2d81f283d32487b151a8544

SHA512
563ace50a943c1d38128212c3c30e41d06515c686e1c025e1468f1e8932980b61112d5b1956b3527ac9b95657c9b3b99324f0e6f6636100b4b4e51d6cfa282ce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\O0CUO7L5\account.live[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
memory/4980-430-0x0000025B7C5E0000-0x0000025B7C600000-memory.dmp

Filesize
128KB

Download
memory/4980-1038-0x0000025B7C730000-0x0000025B7C830000-memory.dmp

Filesize
1024KB

Download
memory/4980-460-0x0000025B7B700000-0x0000025B7B800000-memory.dmp

Filesize
1024KB

Download
memory/4980-491-0x0000025B7CCA0000-0x0000025B7CDA0000-memory.dmp

Filesize
1024KB

Download
memory/4980-664-0x0000025B7F5E0000-0x0000025B7F6E0000-memory.dmp

Filesize
1024KB

Download
memory/4980-655-0x0000025B7D860000-0x0000025B7D960000-memory.dmp

Filesize
1024KB

Download
memory/4980-435-0x0000025B7C8C0000-0x0000025B7C9C0000-memory.dmp

Filesize
1024KB

Download
memory/4980-868-0x0000025320100000-0x0000025320200000-memory.dmp

Filesize
1024KB

Download
memory/4980-889-0x0000025B7C8C0000-0x0000025B7C9C0000-memory.dmp

Filesize
1024KB

Download
memory/4980-886-0x0000025B7C8C0000-0x0000025B7C9C0000-memory.dmp

Filesize
1024KB

Download
memory/4980-938-0x0000025B7C5E0000-0x0000025B7C600000-memory.dmp

Filesize
128KB

Download
memory/4980-449-0x0000025B7CAF0000-0x0000025B7CBF0000-memory.dmp

Filesize
1024KB

Download
memory/4980-1037-0x0000025B7C730000-0x0000025B7C830000-memory.dmp

Filesize
1024KB

Download
memory/4980-1199-0x0000025B7FC00000-0x0000025B7FC20000-memory.dmp

Filesize
128KB

Download
memory/4980-1275-0x0000025320D40000-0x0000025320E40000-memory.dmp

Filesize
1024KB

Download
memory/4980-1274-0x0000025320D40000-0x0000025320E40000-memory.dmp

Filesize
1024KB

Download
memory/4980-1276-0x0000025320D40000-0x0000025320E40000-memory.dmp

Filesize
1024KB

Download
memory/4980-1295-0x0000025B7D540000-0x0000025B7D640000-memory.dmp

Filesize
1024KB

Download
memory/4980-1373-0x0000025B7C730000-0x0000025B7C830000-memory.dmp

Filesize
1024KB

Download
memory/4980-1481-0x0000025320450000-0x0000025320470000-memory.dmp

Filesize
128KB

Download
memory/4980-434-0x0000025B7C8C0000-0x0000025B7C9C0000-memory.dmp

Filesize
1024KB

Download
memory/4980-309-0x0000025B79750000-0x0000025B79770000-memory.dmp

Filesize
128KB

Download