f7dfaa9e79da582285f964c17f202631b50c186b56fbe2c417d1cb042b2ba655

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
Size

4.3MB
MD5

071f8bfffa76377293c3846706a9eee9
SHA1

fb8a1393c2c7c9e3adb21930e10633605c028a2d
SHA256

1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2
SHA512

84d21135d1410597037321ce8434a27dee3878e4b3992ca2ae3837c0b1715f021aec3e5a42a00e2ae019b917c631b87bcd08844b672e3669f0c0c55b71789b4f
SSDEEP

98304:tIOMcwQObrql/9CpTxJJphqC3vKfOlk36VncyH7kuK2OFVa:tIUfObrQ/kX8euKk36VnH62

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	2Xd7831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2Xd7831.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2Xd7831.exe

Executes dropped EXE 5 IoCs

pid	Process
744	Jo6pN03.exe
1932	HX6eg45.exe
2916	Aq8fa68.exe
2560	1aF72hB0.exe
5036	2Xd7831.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2Xd7831.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2Xd7831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jo6pN03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	HX6eg45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Aq8fa68.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral6/files/0x0008000000023417-27.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe
5036	2Xd7831.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1920	schtasks.exe
4732	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
3192	msedge.exe
3192	msedge.exe
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe
5304	identity_helper.exe
5304	identity_helper.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	2Xd7831.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: 33	2496	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2496	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2560	1aF72hB0.exe
2560	1aF72hB0.exe
2560	1aF72hB0.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2560	1aF72hB0.exe
2560	1aF72hB0.exe
2560	1aF72hB0.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5036	2Xd7831.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 744	1936	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	83
PID 1936 wrote to memory of 744	1936	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	83
PID 1936 wrote to memory of 744	1936	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	83
PID 744 wrote to memory of 1932	744	Jo6pN03.exe	84
PID 744 wrote to memory of 1932	744	Jo6pN03.exe	84
PID 744 wrote to memory of 1932	744	Jo6pN03.exe	84
PID 1932 wrote to memory of 2916	1932	HX6eg45.exe	85
PID 1932 wrote to memory of 2916	1932	HX6eg45.exe	85
PID 1932 wrote to memory of 2916	1932	HX6eg45.exe	85
PID 2916 wrote to memory of 2560	2916	Aq8fa68.exe	87
PID 2916 wrote to memory of 2560	2916	Aq8fa68.exe	87
PID 2916 wrote to memory of 2560	2916	Aq8fa68.exe	87
PID 2560 wrote to memory of 3192	2560	1aF72hB0.exe	89
PID 2560 wrote to memory of 3192	2560	1aF72hB0.exe	89
PID 3192 wrote to memory of 3348	3192	msedge.exe	92
PID 3192 wrote to memory of 3348	3192	msedge.exe	92
PID 2916 wrote to memory of 5036	2916	Aq8fa68.exe	91
PID 2916 wrote to memory of 5036	2916	Aq8fa68.exe	91
PID 2916 wrote to memory of 5036	2916	Aq8fa68.exe	91
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 3676	3192	msedge.exe	95
PID 3192 wrote to memory of 4116	3192	msedge.exe	96
PID 3192 wrote to memory of 4116	3192	msedge.exe	96
PID 3192 wrote to memory of 4584	3192	msedge.exe	97
PID 3192 wrote to memory of 4584	3192	msedge.exe	97
PID 3192 wrote to memory of 4584	3192	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
"C:\Users\Admin\AppData\Local\Temp\1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffb53ac46f8,0x7ffb53ac4708,0x7ffb53ac4718
        7⤵
        
        PID:3348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        7⤵
        
        PID:3676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
        7⤵
        
        PID:4584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        7⤵
        
        PID:4308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        7⤵
        
        PID:1300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
        7⤵
        
        PID:3316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
        7⤵
        
        PID:4980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4892 /prefetch:8
        7⤵
        
        PID:2416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5336 /prefetch:8
        7⤵
        
        PID:2664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
        7⤵
        
        PID:1712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
        7⤵
        
        PID:5312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
        7⤵
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
        7⤵
        
        PID:5764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
        7⤵
        
        PID:5772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,12575103481171759449,10631141526890964433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Drops startup file
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5036
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1920
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        
        PID:632
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
148a7e87bb6b035d044f21fb21824d21

SHA1
5a086bbc31717bb2ae3536e852fead110a4c54a2

SHA256
bab4daae88abfcab83b52021b0f6aeb393b213a670ba7d9070b63b2d35809dd1

SHA512
20e2892f1b868ff5a8b14abd943495aa158357aaf415262474df2427d1cdb677353eb19ca8e2cd091016663929c9870b3c80322605202f006fef2062e044af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a866c58d8452a8daff65a8a56e5e3d38

SHA1
cfb8425bdb7f42980542f7227302cbbe779605f1

SHA256
a74c3c646b88c46f666ab54c350cbfc664de01a806b7b29e5cbf074b36432d38

SHA512
c1174f67f3f00db9ff2f98c6347c95b307058b0f6cfbd762f7e1f4a2edf46f43369add71cf3b103b29747cc4b945d9a63062d4f16062675cccc2efd1a979c8ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c81d19b6d353465bb0150f7be5aa2ab8

SHA1
b1ffca0d3884918178b2c2304d5946c5fccaaeda

SHA256
ec856a635a62b70f0e92870d5d265e4332e802fe5612028210d2a9bbfcf9fae5

SHA512
e53cdb61d564fc14759ad8a999ce3821cc20693db611854be0811263b60fdd4ccdcfbb298bcd9cd27bec8c18b4837f253308d4a910f5c307640d984b93a73a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cbac95d6776cce8a44fb4b278d0a9de1

SHA1
caa8ef4c0cdd61df4c36342af68eda63bd8870fd

SHA256
cbc5f5bbf23294f550dc1f1771fdcbbb6764d4d5ff2f86701e78e50e499523e1

SHA512
3fa2bc087918fe0ce6adbf80227842bd41278ec85ce6da1e08c03390c6bcc094d3588f2bf5c202d75050d1c99db8e62adca015348212911c1d7228ae16d6ec91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
811aeb121c97229bfdb558bb88df9c7c

SHA1
469053ebdcc68202aef3551ea8fe36f07553360e

SHA256
390ff139a7a80b14687059a8d64be24f43244185ee9592deb2edc5d34c46e693

SHA512
6a69a5d5a6335cc0e2c5b1913a941c70f6f2b1831283ef3006df922e17e889388b2467c189059507342d10f96d876466aaffcc2d7e1f2911227c3ed61123b98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f4b14719-eb5c-454d-a649-2f22b1a6aba1\index-dir\the-real-index

Filesize
2KB

MD5
8b384ca3ec5781eecd1fd5e1889cd699

SHA1
6606d287594923de669ba7caaeeea34854dcd341

SHA256
d9203b5ee20cf831f043273663a87eacbddc0432ea27622191bfec5748f8330b

SHA512
90482bdc5279db23601a301125f652d6c34becd826581d53e6d04c138cc27eb76fed28e3c1a8843a74709175ee99433fea11d7b513aab9d5c9cfe2e6fb3815c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f4b14719-eb5c-454d-a649-2f22b1a6aba1\index-dir\the-real-index~RFe579599.TMP

Filesize
48B

MD5
d6836ada236a380cb1926864e854fa21

SHA1
22b72d4255bf7090f4a34ab44cdb1d01f6c4645e

SHA256
eef2b47a6a83fef368350f192fbeaf7758f4fd685f36d86b23e6c3ac2955da26

SHA512
05f18d7797d416a7a31fe0b9c8c61fb3fd9a35bba19d92397df9bc09af34a4ed20c6eb9c3bcd34c02ce9462c3ba8f10969c88552805e9256209c856d55ac090b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
ffed85c301fc76df59fa66616edbbb21

SHA1
a8fdcbb19fd3e9c35cd3764abd443d0048a07e6c

SHA256
ec37fc958b7bf5457956850c9ed2663e5a9894f025311529970615470ed8b0b2

SHA512
673203f846feb5bfd70af4f716a6531e0c7eea4ec1c618be99a831cba73f49afdcead3f2363119149abcca0f68123136e56577fcea7d780993053bd45610f526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
ca3a21d569a7b38587fb9b2825bc88f4

SHA1
88804a1576f8fca029d4d8d21967d1577ad4f9ea

SHA256
d18d73d3bc19f84a964374bd5b778f3013895c21778e5b03d2a0e9f2a860a08e

SHA512
de05e550ad3bf0212c66f04d9e4133731f458e2b882e3bd320fcb893411a3acb01db214c3bbb5d418062eaadaa1f291fa037557320e064ef60b4688a931889d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
0c3681c8fc2179bc648dc75771696115

SHA1
bc0b25658e51e3df16c5062db965d67ec654b3ed

SHA256
59b6e0bafe9fac0b3ed8d65fe0940af173ab4b444da80e6ba2326c766d1539a0

SHA512
4d7f1c032926c34f8c93373bbbc556c11b9f9690b1cb3b17dc1db7d9aa4aac1dbda4ef9d879c97923a5e2f1cff5fdc87744dba59b10bcfe3c75861674c393e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
7fba8995029cd8cf7ed110bddd5ec533

SHA1
8d06a3c1c64b393840382039b56182701c0f0f80

SHA256
a5e6c01cd814a7eaf4c90f9da05b0bab61302d200dac9def96641d6132dea917

SHA512
3b3eea58ec2f7970cff1017683e91ebff25e89652999227ded9273402345c7e9e877a7f2f0e41ef94b7c92e61b36330790967e907db8fcccc93bb1c447f43489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bba995118e6cee6ed9badbd5b8bcc071

SHA1
fd2381fe5f1c53a8611cdcacd372228b2b870df2

SHA256
87e3e464226a60242bb64f0a35a80eecf3404c861be79edca4b662cde9135780

SHA512
0e6ed50da749bb83e3e546397536cbdec8d53e3ef2fc90a04f6550c0b0053273143a66ebffa1870cf2c9bcdb5b60619d3a3a6f1a5fb2186ebde87fd2a15659c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578cfe.TMP

Filesize
48B

MD5
4e9e3ee1c61a5dec856e40a3b6f6be88

SHA1
ac0a275ce5ac48e27c25a1f02cf7d72c2f79be74

SHA256
2c2520cc5656b2ffa9e129235bed4a6417e32565c67e43865a8725dbb1371391

SHA512
b5d8b1ac7da2da083bba458ea009526aa9380f61406a17d2d5a57f8c15e77e4c9c017a9e1ca1cfd69eb27ba92a3d754c6b90a1596920698f7c773ced436004ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3e3bce083246cce5279745b03309527

SHA1
8d613b248492e9639be6c7406e7de9b38c7d7b3b

SHA256
c77935ae32dba79a245a9157494c8e0875e1e896dc66f18b53ead91230fd6768

SHA512
7257348c21d16806a041a5dfe9975d7858e5adc017a14132883f1b27e658ec3b4febb5c1d1491b380ca0021fb96a13a8bb2339ad1dcb4819416485e40f1b988d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe

Filesize
3.8MB

MD5
8f20f82e55f613e3387d8a4393d84415

SHA1
1fbb59f002e77b5608e555d5fb856ec649a94128

SHA256
fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e

SHA512
3596ff1cd6012bc0c3f6a8f928dc124499b2c64406ae8e99d994e84c6f8e817869adb3c23a1ca221a418521dbba2592bef264c43514a0dbab794d69b57af3f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe

Filesize
2.4MB

MD5
b56c9c48c9be9fe4136433ba42ff386b

SHA1
ca41a545b363d093d54478164341a674d14fc20e

SHA256
6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de

SHA512
cd0d1d2515ddfa2f82c0a231ac628087ec07e12ae18f16725c8c00f143e42babbdf6fdaa364c3a73995b11c500229ed2b80fb0b49ee9c053b27d00c0318b30f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe

Filesize
2.0MB

MD5
e1ca89e321f8198d4253c9178eb523ff

SHA1
fe072ee589998082c37b054c4d8e4f0a6aa4eeb7

SHA256
3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

SHA512
af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe

Filesize
894KB

MD5
3e82adb682d9d441331dde8a3c888f6e

SHA1
6dc1fe6731402b85d721946e65559a375878a3e1

SHA256
4b87018ae58796055ba9ae76bc21519c1e51f7dcfa79344b27047efec6d9d666

SHA512
f346d6eea780ae0cf5faf8fcbb7815a0c461de710a013ac5106c9eaad31dd778765c8709550911921653a13c3e94e5d860b472a671944b51edfa840c019ccca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe

Filesize
1.5MB

MD5
fb69bac77dd5e98885e6caea73271736

SHA1
51ad255e0b6ffe879375c4cda30f8791a13e1c55

SHA256
302f18643a0476b96ae334230de72d315f753902124fbb9b97d73d73941eed7e

SHA512
3558688f41a573793d4d717316b1243d1371bb02f7f2c41a5156c60fdbc66a38ab36ce0f3c57f6fb4f4da5b546b6f18eff663d5647829432c02ce2693f856716

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qrnaaohs.t1m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1112-67-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/1112-68-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/1112-128-0x000000006FBE0000-0x000000006FC2C000-memory.dmp

Filesize
304KB

Download
memory/1112-149-0x0000000007E90000-0x000000000850A000-memory.dmp

Filesize
6.5MB

Download
memory/1112-150-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/1112-127-0x0000000006A40000-0x0000000006A72000-memory.dmp

Filesize
200KB

Download
memory/1112-155-0x0000000007830000-0x000000000783A000-memory.dmp

Filesize
40KB

Download
memory/1112-162-0x0000000007A30000-0x0000000007AC6000-memory.dmp

Filesize
600KB

Download
memory/1112-164-0x00000000079B0000-0x00000000079C1000-memory.dmp

Filesize
68KB

Download
memory/1112-174-0x00000000079E0000-0x00000000079EE000-memory.dmp

Filesize
56KB

Download
memory/1112-177-0x00000000079F0000-0x0000000007A04000-memory.dmp

Filesize
80KB

Download
memory/1112-178-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

Filesize
104KB

Download
memory/1112-183-0x0000000007AD0000-0x0000000007AD8000-memory.dmp

Filesize
32KB

Download
memory/1112-147-0x0000000007480000-0x0000000007523000-memory.dmp

Filesize
652KB

Download
memory/1112-89-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/1112-88-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/1112-56-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/1112-57-0x0000000005700000-0x0000000005D28000-memory.dmp

Filesize
6.2MB

Download
memory/1112-76-0x0000000005DA0000-0x00000000060F4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-146-0x0000000006A20000-0x0000000006A3E000-memory.dmp

Filesize
120KB

Download
memory/1112-64-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/5036-44-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-369-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-415-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-416-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-370-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-371-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-372-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-391-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-435-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-324-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-55-0x0000000009120000-0x0000000009196000-memory.dmp

Filesize
472KB

Download
memory/5036-417-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-418-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-419-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-422-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-423-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-32-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download
memory/5036-336-0x0000000000A60000-0x0000000000ECC000-memory.dmp

Filesize
4.4MB

Download