7575b6a7ca1e6aeecfc397511f1b32b4a78d90e4766e4942510517290d09a617

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe
Size

2.0MB
MD5

e1ca89e321f8198d4253c9178eb523ff
SHA1

fe072ee589998082c37b054c4d8e4f0a6aa4eeb7
SHA256

3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a
SHA512

af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d
SSDEEP

49152:SxZh3SQ5yCsV/BuPeQePc/yRrkS2TCwuRI7V1GiTCBC3O:WSp/iucmAS2TCFIB1RTC

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

2Xd7831.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	2Xd7831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2Xd7831.exe

Drops startup file 1 IoCs

Processes:

2Xd7831.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2Xd7831.exe
Executes dropped EXE 2 IoCs

Processes:

1aF72hB0.exe2Xd7831.exe

pid process

3316 1aF72hB0.exe
1876 2Xd7831.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2Xd7831.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2Xd7831.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2Xd7831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2Xd7831.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe2Xd7831.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2Xd7831.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1aF72hB0.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

2Xd7831.exe

pid	process
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe
1876	2Xd7831.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1380 schtasks.exe
5112 schtasks.exe

pid	process
1380	schtasks.exe
5112	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exepowershell.exeidentity_helper.exemsedge.exe

pid	process
4920	msedge.exe
4920	msedge.exe
1000	msedge.exe
1000	msedge.exe
3824	powershell.exe
3824	powershell.exe
3824	powershell.exe
3248	identity_helper.exe
3248	identity_helper.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe

pid	process
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2Xd7831.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1876	2Xd7831.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: 33	2204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2204	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

1aF72hB0.exemsedge.exe

pid	process
3316	1aF72hB0.exe
3316	1aF72hB0.exe
3316	1aF72hB0.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

1aF72hB0.exemsedge.exe

pid	process
3316	1aF72hB0.exe
3316	1aF72hB0.exe
3316	1aF72hB0.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2Xd7831.exe

pid process

1876 2Xd7831.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe1aF72hB0.exemsedge.exe

description	pid	process	target process
PID 4072 wrote to memory of 3316	4072	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	1aF72hB0.exe
PID 4072 wrote to memory of 3316	4072	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	1aF72hB0.exe
PID 4072 wrote to memory of 3316	4072	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	1aF72hB0.exe
PID 3316 wrote to memory of 1000	3316	1aF72hB0.exe	msedge.exe
PID 3316 wrote to memory of 1000	3316	1aF72hB0.exe	msedge.exe
PID 1000 wrote to memory of 2296	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 2296	1000	msedge.exe	msedge.exe
PID 4072 wrote to memory of 1876	4072	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	2Xd7831.exe
PID 4072 wrote to memory of 1876	4072	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	2Xd7831.exe
PID 4072 wrote to memory of 1876	4072	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	2Xd7831.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 532	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 4920	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 4920	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 1744	1000	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe
"C:\Users\Admin\AppData\Local\Temp\3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1aF72hB0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1aF72hB0.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7fff673f46f8,0x7fff673f4708,0x7fff673f4718
4⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
4⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
4⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
4⤵
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
4⤵
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
4⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
4⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5324 /prefetch:8
4⤵
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5444 /prefetch:8
4⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
4⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
4⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
4⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
4⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
4⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,16114947448159708274,2124867268999702068,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3024 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Xd7831.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Xd7831.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
3⤵
PID:376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:1380

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
3⤵
PID:4404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x418
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
599ea99463ec40e7d43e268835da13cf

SHA1
c8bf1ddf31f8dd6575b4fff2158dc5f772d4c4b8

SHA256
3d6d711e72e0914af229b25ea235df676e95b64c0c95315c1bd1d8fbedeaa45f

SHA512
dddb3401c119bb33968603324c4539c55ae9589d4d1dc9648dd02f3b5e6184cfd5babf00b809a5b8495191e55f63cefcc0f7df45d84fe4dc53dea47450192abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
08ceb69e85be163eae5d8ace6f618a91

SHA1
e11fe435d10ae2bf4bbe64372e5dc4ba75f534d1

SHA256
e1ce285ac1d63d9caab4eb85dd1d4bb961f97f6879aa8261f8d4ee897f63d212

SHA512
f61e8135ef49f2742cda55c53936290c48028246e2bfdf37b5777ced3656c4bbbc72a8480b9cc2ce347f360253dd2bb1b490cce91d40cb3e37f22d743c9f5583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
0587cca845ac5e6d18f4328919ae9e35

SHA1
9512fbec284f81d81c62c0188d0afe28012ba40b

SHA256
1a3227b5d42195d8d424d4fca2ec7a0a3e408046df89fa2c4d43a36756a43950

SHA512
deb3d58b46cace53d470debe2743ee62bc7ee61436cf249c21f248550eb0dd02d90e20fdb236543542029d865f44cf40694603ab11286a463753e4bb7e1daa47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8d63680e6f649e6f8993aef39c306e45

SHA1
24f9569b5711c5f473bf7b852fead0b34a8e1a1b

SHA256
3a593a0a57e89cb2141747348a94c5d51b1182ecb798f2beea049be9f16b6bfc

SHA512
f4d507a9de3a40c2dab828dc02eac32a0ef0ab23de4b79e625631e245134dc0f0da6da36bcfa4a574f633725da3cecee4e0b7e8f735ae94037df411655938a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cfd276449e5eea320e1a89e4ecafec58

SHA1
8505e395231dc6dc3a46b30509367bac47217ff4

SHA256
8e367c270d8e296e3bc29892c87b3e20d1fa6dc7ccc99d2706250ab21f7b8d89

SHA512
315ae18dc59f8b51c83b9c69140d257d10f1f6c5614b412a80328ca2d64f289389301fa36358984b8206f05b146b63b7d27c89cc2f2da09af141924be06a5396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\292403d4-6a16-49a1-9308-ef3964cffdee\index-dir\the-real-index
Filesize
2KB

MD5
15bac6ad2cffc8408cbce827346a6658

SHA1
f0bd7a144b0eb0f5d9e2c1e7dedf5adfff20ca48

SHA256
defb9c80bb9e92436b52f1864d1c87ef9e54b98e39c789f51624c081cbf90cbc

SHA512
b284984d730e42a2d3b3094050578b128da09b4d4a80ffd015350ed024fbd1fba39021568b3e8cfe3793adbb18dfae8b62080c4bf2ac5830e8953b34a00f9793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\292403d4-6a16-49a1-9308-ef3964cffdee\index-dir\the-real-index~RFe57d486.TMP
Filesize
48B

MD5
7d84b8e3df0f35c4ad319f06d1b6e1f5

SHA1
79c7a739ce03984c13a38059ac446d0a1de16877

SHA256
0a61200186de9ed2803c0bd4e69a99833a8e3568d3acd4288392fde9b2addda4

SHA512
26083a6d912fcfc6ff7ed22101f72814c8bb01b1c7416b6df588e6aef333bb905cd20ee3aa83e250b2f52882ea6a47ad1ae01f32995ddfca506ac73033b5db21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
b428344c2f07d87ab8a89daf8736f2bb

SHA1
e04ca82ce80884958f58c824994500bbe33b6ae4

SHA256
2b0143f80b356633cfdd423ffd18b274df57f0794c2623bcaa70fa30a0f6dc96

SHA512
e8420c0d288432430bbe292e4d7e4ece42ef1ebbb5e9ef6125f34d1ee35e68df6c84d70d59fa8e842b705d936b4fffc3fa316ab0dd9ec99bd4bf1d0ecbf784c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
eb24bfeefed3d4e98ac094ffc420c50f

SHA1
bb00718d079477b0e65830847911592edf6e5bcd

SHA256
23c46b2d567c9c377d8de80aac2e2322df01d78d4df522efd0d4d319863e8206

SHA512
d5b94adf631ca378d2c51cec9068491bd17d60d7421495e3c695f3266c8b9b73e81dedcc738dfc5c3ba7171d953b7a2d212f1ecd0cf645861da5ddbccaecb4dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
84B

MD5
8445dc53026e8e0e552d410bd273cb40

SHA1
25f33eaa8bfe68ea6bef7b8d2de18224e760f935

SHA256
50794fc949671e36be2b3af38f8542ef2a435b7e565bfaffdb163fe08300978e

SHA512
7ba4951f34f15d412b58b50a2bf3a3014aa04fb23fcf9a1738eb29bcd8fcf1f67b10dbcc915a0f305dddfac3a6e499eca5f8a1a3fb041d6af0063787a2a2ccab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
ded7ea56e2264d5ffeac14ebc786751c

SHA1
37c24697a1ff661a74b8b95ed0ba6f304c252302

SHA256
81a662e03bf65265b7424d4cc359594e741d4c608925e5bde5de5bef3a286bca

SHA512
45ceea96fa40d746e418c5c913ea1c7acddbe59ca442ece4dbce4d6b2380c60679200d9e5e6ed644523c7aadcd8040b9777b0dd946661c560b82241cbb755cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
00ec5628c45a798e199fc4b95f35e57e

SHA1
60c5bcb8ea24902dc0563a89fc90debb64a2be1e

SHA256
5e3146a24a335dc1f1f27ffe1de0f09631ff2ff19090f539725ea757af0fd43f

SHA512
2dc9f6d38b21080452873e9764d0bd7c24ae219a78f30f49ed25ea06644fd0ce218f72f0c01d1c54a53d55bc82a6fae9296986ddd8b4d84e4725796ac364a107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cd72.TMP
Filesize
48B

MD5
482e861099e1478fc015fd0054d3906a

SHA1
09a41d77eb2ae9d147d79198701408d4b33d3abd

SHA256
4becae11783b2c80c2076c6b8313c3de6650893e7b450dba38ac8112cad56a36

SHA512
bd68ef6eb87688be566ce2fc6b5a8d7ad34dce4367ea985bdef57373ffae97f86d0c62c885e77d2739646eaaa4ce1737545717934e848ad8ff1a69ff7d9c782c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b2458f5b70a3707c1ce2bc6a6929eed2

SHA1
645633957e7dae455d6ceee2c4200b1a91612f1a

SHA256
83dde677ef1f48743c0420f3dfef710108e10a7f2c2d8727cb29bcb3445e52dc

SHA512
2e8ef7251f0201e1e2f65a81b502d71208dfaba94c2fd5d84d0a461471838212d131a1332fa15be60e7352478596fc437b788040d30f7bd1baf4c3f5857b4590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1aF72hB0.exe
Filesize
894KB

MD5
3e82adb682d9d441331dde8a3c888f6e

SHA1
6dc1fe6731402b85d721946e65559a375878a3e1

SHA256
4b87018ae58796055ba9ae76bc21519c1e51f7dcfa79344b27047efec6d9d666

SHA512
f346d6eea780ae0cf5faf8fcbb7815a0c461de710a013ac5106c9eaad31dd778765c8709550911921653a13c3e94e5d860b472a671944b51edfa840c019ccca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Xd7831.exe
Filesize
1.5MB

MD5
fb69bac77dd5e98885e6caea73271736

SHA1
51ad255e0b6ffe879375c4cda30f8791a13e1c55

SHA256
302f18643a0476b96ae334230de72d315f753902124fbb9b97d73d73941eed7e

SHA512
3558688f41a573793d4d717316b1243d1371bb02f7f2c41a5156c60fdbc66a38ab36ce0f3c57f6fb4f4da5b546b6f18eff663d5647829432c02ce2693f856716

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yonk2qzv.5tu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_1000_XIQYRQWYLQJHBSVM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1876-405-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-404-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-380-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-371-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-369-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-359-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-358-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-23-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-352-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-34-0x0000000008DB0000-0x0000000008E26000-memory.dmp

Filesize
472KB

Download
memory/1876-423-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-9-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-406-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-407-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-408-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-411-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-312-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/1876-324-0x0000000000150000-0x00000000005BC000-memory.dmp

Filesize
4.4MB

Download
memory/3824-64-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/3824-247-0x0000000007B70000-0x0000000007B78000-memory.dmp

Filesize
32KB

Download
memory/3824-239-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/3824-228-0x0000000007A90000-0x0000000007AA4000-memory.dmp

Filesize
80KB

Download
memory/3824-199-0x0000000007A80000-0x0000000007A8E000-memory.dmp

Filesize
56KB

Download
memory/3824-146-0x0000000007A50000-0x0000000007A61000-memory.dmp

Filesize
68KB

Download
memory/3824-143-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/3824-136-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/3824-133-0x0000000007850000-0x000000000786A000-memory.dmp

Filesize
104KB

Download
memory/3824-132-0x0000000007EA0000-0x000000000851A000-memory.dmp

Filesize
6.5MB

Download
memory/3824-112-0x0000000006B00000-0x0000000006B32000-memory.dmp

Filesize
200KB

Download
memory/3824-127-0x0000000007700000-0x00000000077A3000-memory.dmp

Filesize
652KB

Download
memory/3824-123-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

Filesize
120KB

Download
memory/3824-113-0x0000000070630000-0x000000007067C000-memory.dmp

Filesize
304KB

Download
memory/3824-68-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/3824-67-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/3824-55-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/3824-53-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/3824-52-0x0000000005760000-0x0000000005782000-memory.dmp

Filesize
136KB

Download
memory/3824-49-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/3824-48-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download