45e94c10bbc148cc1f0e810ef4a64b3b2814960515bbe6c69d8570dde960e0b2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e.exe
Size

3.8MB
MD5

8f20f82e55f613e3387d8a4393d84415
SHA1

1fbb59f002e77b5608e555d5fb856ec649a94128
SHA256

fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e
SHA512

3596ff1cd6012bc0c3f6a8f928dc124499b2c64406ae8e99d994e84c6f8e817869adb3c23a1ca221a418521dbba2592bef264c43514a0dbab794d69b57af3f4d
SSDEEP

98304:fbst8f/CbxPjMQCx+eU9XLfZUN0VoIojgMnrL8007F:fb9nCbx7My7twqFojgMnfe

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	2Xd7831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2Xd7831.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2Xd7831.exe

Executes dropped EXE 4 IoCs

pid	Process
3688	HX6eg45.exe
4012	Aq8fa68.exe
2296	1aF72hB0.exe
2996	2Xd7831.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2Xd7831.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	HX6eg45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Aq8fa68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2Xd7831.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral22/files/0x000800000002341e-20.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe
2996	2Xd7831.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1072	schtasks.exe
1216	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2568	msedge.exe
2568	msedge.exe
1488	msedge.exe
1488	msedge.exe
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe
1952	identity_helper.exe
1952	identity_helper.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	2Xd7831.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: 33	656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	656	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2296	1aF72hB0.exe
2296	1aF72hB0.exe
2296	1aF72hB0.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2296	1aF72hB0.exe
2296	1aF72hB0.exe
2296	1aF72hB0.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2996	2Xd7831.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 3688	232	fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e.exe	85
PID 232 wrote to memory of 3688	232	fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e.exe	85
PID 232 wrote to memory of 3688	232	fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e.exe	85
PID 3688 wrote to memory of 4012	3688	HX6eg45.exe	86
PID 3688 wrote to memory of 4012	3688	HX6eg45.exe	86
PID 3688 wrote to memory of 4012	3688	HX6eg45.exe	86
PID 4012 wrote to memory of 2296	4012	Aq8fa68.exe	87
PID 4012 wrote to memory of 2296	4012	Aq8fa68.exe	87
PID 4012 wrote to memory of 2296	4012	Aq8fa68.exe	87
PID 2296 wrote to memory of 1488	2296	1aF72hB0.exe	88
PID 2296 wrote to memory of 1488	2296	1aF72hB0.exe	88
PID 1488 wrote to memory of 2504	1488	msedge.exe	90
PID 1488 wrote to memory of 2504	1488	msedge.exe	90
PID 4012 wrote to memory of 2996	4012	Aq8fa68.exe	91
PID 4012 wrote to memory of 2996	4012	Aq8fa68.exe	91
PID 4012 wrote to memory of 2996	4012	Aq8fa68.exe	91
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 1376	1488	msedge.exe	93
PID 1488 wrote to memory of 2568	1488	msedge.exe	94
PID 1488 wrote to memory of 2568	1488	msedge.exe	94
PID 1488 wrote to memory of 4592	1488	msedge.exe	95
PID 1488 wrote to memory of 4592	1488	msedge.exe	95
PID 1488 wrote to memory of 4592	1488	msedge.exe	95
PID 1488 wrote to memory of 4592	1488	msedge.exe	95
PID 1488 wrote to memory of 4592	1488	msedge.exe	95
PID 1488 wrote to memory of 4592	1488	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e.exe
"C:\Users\Admin\AppData\Local\Temp\fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HX6eg45.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HX6eg45.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Aq8fa68.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Aq8fa68.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aF72hB0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aF72hB0.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8010846f8,0x7ff801084708,0x7ff801084718
        6⤵
        
        PID:2504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 /prefetch:2
        6⤵
        
        PID:1376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
        6⤵
        
        PID:4592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
        6⤵
        
        PID:396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
        6⤵
        
        PID:1080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
        6⤵
        
        PID:4056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
        6⤵
        
        PID:3968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5048 /prefetch:8
        6⤵
        
        PID:3004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 /prefetch:8
        6⤵
        
        PID:1432
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
        6⤵
        
        PID:3680
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
        6⤵
        
        PID:4016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
        6⤵
        
        PID:1832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
        6⤵
        
        PID:2956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
        6⤵
        
        PID:3740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,4021898524866477019,1358262625016604057,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Xd7831.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Xd7831.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Drops startup file
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2996
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        
        PID:1600
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        
        PID:4160
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
b91a34754c6eb2bcf05082ad26d59d57

SHA1
2def95f0a7dea73c0f4ff26d21b9a5f3b44cecff

SHA256
7bd35c3c2b0f4b4baee393f94658734a19e3931db14c5781d00efaa248373384

SHA512
6d6d9995167260fc8a0dc894e047492b114b3e4e2d70da3705e9b10147ce1dc93cebed24569bd3458a9b396c842a4cc08fa18b87977a81eb4cce17f789fdad77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c03c87a2a4e65de604e2e4e68ddbf028

SHA1
d5905cd7cd0114d4dbd6b09cd09418a03338e702

SHA256
0e41078f47717a9abf71bde51c7b1eb9e6d68285a86a45348150f9fe415be07d

SHA512
09c43477316b95502125d45bbd077f07d18bfdd273bd6db19cf23776a42438eacf20a31413b36e7abbcea9d44709b17481fba6866dc834aa96a3b7d74e233e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a4fff246d407da7969c8808fa685e931

SHA1
c009da58c98ccc7231038153453019fab8a91e4a

SHA256
ccf6c7116227a7fa22ff65c61ae615df7d60a3874c94117ec23aa180c4de62a5

SHA512
4e766aa62ec2f2f4f32c475a7da817dc17ecea6f7c8b84a140663e946515097224b9bff61c1cfaf7fb46628ab948daf1bc813e5d543bb36cd9b7bd0ad72aca87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b3e064f8c663c0597127030e4c372a5

SHA1
fc4a8ba37dd76269eaccd5a30c921d2ec75739bf

SHA256
49d847dccdb37cc5ca22774ea8281c91e861d875dbffdf94aab21a08cc8c175d

SHA512
b51ab572af3d9db1a0c8ea33ebaadcc4226f24480643ff0781c58087ad018a3bbff81a5b167c162ff59f32447d851e18b6c09ed54f7c8f3c200a50162c7756ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea783f3789d6c138c849d89653a9ad09

SHA1
46a413323531e29de75a6bd2819365ac8e67bda6

SHA256
f580a59ff32ba1660fa5d423ba5bfad0442125d86ca9893c39ebbed8bedf8623

SHA512
e79d7f0af4e18af98defca0f0d1b9ea6deb1ac5c17e43d17eef5676e5e2a623ad494e0196e660b36c0b1beba36c8c9da0ba50658a9e6e4aa2b7eb18a041f891e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bbdf822e-6ed9-408f-8397-f9638f9aa3c1\index-dir\the-real-index

Filesize
2KB

MD5
1ab11333eb86029af3958e15f5cd86f0

SHA1
b6f8f8a8ad23ddba9b5a43cf1336bd55f599c77b

SHA256
f8233c330ef6692eab8f884339ef4db9295901eef705b4d6e18ba8567952de2b

SHA512
8166300e80861e221061dc550df1c28e915118cc0c50e49f66ec73ba6f0e06f0c897b71deb5e4a79de2349362be9a3ca03edeabb8012c6f8851c0407a0907c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bbdf822e-6ed9-408f-8397-f9638f9aa3c1\index-dir\the-real-index~RFe57fa9c.TMP

Filesize
48B

MD5
d93263f812f1b69161262b940c7f2a06

SHA1
c975fa9d9b2e01dc874c44a623f4a52fb6cf8ff0

SHA256
c43455ba9bade7a894a7d740080f1700a7fbc3cca106ea1f7bc731d83dce60ed

SHA512
61c87e3c97a89a819f885ab70ed2099459b712c8f166631572f1174982dcdaa23251de28eba76a77357772a71c3be50cc50de66f6e5075c07d012c8747e2bd33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
0a552f6b2052d0e1bade235d99b2cfb2

SHA1
523b7723311d1f2e87d50dcc66d4029d33755329

SHA256
061484a6a304951cf10c4b7ab9672f78afd924b5520ae17800b2504d5c325a3a

SHA512
60012f47bbe33e68efe42a0dd33bb3818d08590b124200664446e0c0805d3cbd9177458d709f603ccac113c25c8ede821787529dd553c95798773fd30dd2ddee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
71d467f64ef167feb9dc4bdde009b7bc

SHA1
8a05a21b096658a0bea704c0b91965566eba87b0

SHA256
1919a7430e9dd412138c42f59fcfd8afd9d870154f3a23bb83c79148ff51be50

SHA512
496c55874d7e8089aa474354cc840ccd5779a70daf32e0d8337cca125c22f68a3b9b8c942fdac1662ec287af057cb742c360c2c89e5e69ca159b8f59e1536e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
ffccd2434f9be5aab91acd67ca9cf0cb

SHA1
7262eb7689b4019b28de1370987323edf28112d8

SHA256
5f7126226df59d71958beccba2c58fad4f4a2d747d103affb89232d3670e1b24

SHA512
e8febd149fd5129f92570287ca8a5cb847e66f39d124811aa45015df2e2aa5110558c90f86d5273abc336cfbd32c4356c40637e339804939acb51b0779647d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
84B

MD5
446720866ecec7e418e2ce567b964e53

SHA1
6ebbb095599501c566acec932c07df3b5833d213

SHA256
3ebf394dad1ff7d14c2f7bd1eec9ae03142475718b240e2294935e68873c00ef

SHA512
4be2e43e41cb7b4aae540d07733bd5bb7dc37275b1e97a02e1dcf9feac47d299ee135e645055f3f15c95d8d2b44c1d989588c2021e2f4c38a290e7ff545e71f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
38b59f30c113404d10fb96b3ab31f653

SHA1
31edbeb617f7dbeff5291301ba879f50da758218

SHA256
e9036c153781908534d65d65fca41badc90fb2376a13a79b0513ba9805168456

SHA512
9113582f55e5d7f324b59ef52a0d7ac4f8cca8bc48d69f1b1c3ef837224a4358d611dc664fc40749c57d2c1c272909aa17fc27388644feb5b06c9b23103a2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f25f.TMP

Filesize
48B

MD5
aa170863c16fef2570dbbc906dde6989

SHA1
5558f8e9e103a542cef901c0bc50171c1edc5472

SHA256
2a196af3bde8503ef08f496c3d8322c7c84e827201761755d94f5342cfe287d6

SHA512
a709b89e025e1bf80934b323b5eb05a3d548b6d8d44430303e1f1dd426e6c704632e6287318a3e8452090be395de2c0a09b51316f59968d30a86cf56997e929e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6123b3690a8f871194675947b959ed87

SHA1
f3120d960dc9b678de26a5e5701b47d8fd9adfeb

SHA256
75e09c52d674f2a2476cf632082bb7dbdbc8a8970a0b0ff0e4c0037e69718489

SHA512
dc0b4e01b57b98c28fd27a7d1f8cabd2e7ca47298f5ce106c79bc2a8441530ea5a9d89e268567f6b982822b8e8576ae585c7e7a5cbe1a2e03a5e51e4718beb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HX6eg45.exe

Filesize
2.4MB

MD5
b56c9c48c9be9fe4136433ba42ff386b

SHA1
ca41a545b363d093d54478164341a674d14fc20e

SHA256
6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de

SHA512
cd0d1d2515ddfa2f82c0a231ac628087ec07e12ae18f16725c8c00f143e42babbdf6fdaa364c3a73995b11c500229ed2b80fb0b49ee9c053b27d00c0318b30f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Aq8fa68.exe

Filesize
2.0MB

MD5
e1ca89e321f8198d4253c9178eb523ff

SHA1
fe072ee589998082c37b054c4d8e4f0a6aa4eeb7

SHA256
3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

SHA512
af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aF72hB0.exe

Filesize
894KB

MD5
3e82adb682d9d441331dde8a3c888f6e

SHA1
6dc1fe6731402b85d721946e65559a375878a3e1

SHA256
4b87018ae58796055ba9ae76bc21519c1e51f7dcfa79344b27047efec6d9d666

SHA512
f346d6eea780ae0cf5faf8fcbb7815a0c461de710a013ac5106c9eaad31dd778765c8709550911921653a13c3e94e5d860b472a671944b51edfa840c019ccca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Xd7831.exe

Filesize
1.5MB

MD5
fb69bac77dd5e98885e6caea73271736

SHA1
51ad255e0b6ffe879375c4cda30f8791a13e1c55

SHA256
302f18643a0476b96ae334230de72d315f753902124fbb9b97d73d73941eed7e

SHA512
3558688f41a573793d4d717316b1243d1371bb02f7f2c41a5156c60fdbc66a38ab36ce0f3c57f6fb4f4da5b546b6f18eff663d5647829432c02ce2693f856716

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3krry3c.g5m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2996-419-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-417-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-393-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-388-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-382-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-372-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-371-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-24-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-365-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-31-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-418-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-48-0x0000000009340000-0x00000000093B6000-memory.dmp

Filesize
472KB

Download
memory/2996-420-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-423-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-305-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-424-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-436-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/2996-337-0x0000000000A30000-0x0000000000E9C000-memory.dmp

Filesize
4.4MB

Download
memory/3988-68-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/3988-226-0x0000000007720000-0x0000000007728000-memory.dmp

Filesize
32KB

Download
memory/3988-220-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/3988-205-0x0000000007640000-0x0000000007654000-memory.dmp

Filesize
80KB

Download
memory/3988-196-0x0000000007630000-0x000000000763E000-memory.dmp

Filesize
56KB

Download
memory/3988-159-0x0000000007600000-0x0000000007611000-memory.dmp

Filesize
68KB

Download
memory/3988-155-0x0000000007680000-0x0000000007716000-memory.dmp

Filesize
600KB

Download
memory/3988-151-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/3988-146-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/3988-147-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/3988-139-0x0000000007320000-0x00000000073C3000-memory.dmp

Filesize
652KB

Download
memory/3988-138-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/3988-127-0x00000000072E0000-0x0000000007312000-memory.dmp

Filesize
200KB

Download
memory/3988-128-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

Filesize
304KB

Download
memory/3988-82-0x0000000006110000-0x000000000615C000-memory.dmp

Filesize
304KB

Download
memory/3988-81-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/3988-78-0x0000000005B50000-0x0000000005EA4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-67-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/3988-66-0x0000000005110000-0x0000000005132000-memory.dmp

Filesize
136KB

Download
memory/3988-63-0x00000000051A0000-0x00000000057C8000-memory.dmp

Filesize
6.2MB

Download
memory/3988-58-0x0000000004B00000-0x0000000004B36000-memory.dmp

Filesize
216KB

Download