fea4a5268fd3fad5b4772bcf4ef021d104110cff4b7bd43f6ad10ebcab7b0916

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de.exe
Size

2.4MB
MD5

b56c9c48c9be9fe4136433ba42ff386b
SHA1

ca41a545b363d093d54478164341a674d14fc20e
SHA256

6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de
SHA512

cd0d1d2515ddfa2f82c0a231ac628087ec07e12ae18f16725c8c00f143e42babbdf6fdaa364c3a73995b11c500229ed2b80fb0b49ee9c053b27d00c0318b30f4
SSDEEP

49152:aMZY5u/t3C4s8PuNe0etckWRrdj3mCaEshhFeEsuHECTOz88kUOgL:4uc86Wc7pj3mCohHeXuHaxkUOW

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	2Xd7831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2Xd7831.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2Xd7831.exe

Executes dropped EXE 3 IoCs

pid	Process
4380	Aq8fa68.exe
1188	1aF72hB0.exe
3344	2Xd7831.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2Xd7831.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2Xd7831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Aq8fa68.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral11/files/0x0008000000023420-12.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe
3344	2Xd7831.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1568	schtasks.exe
464	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3236	msedge.exe
3236	msedge.exe
1820	msedge.exe
1820	msedge.exe
4176	powershell.exe
4176	powershell.exe
4176	powershell.exe
776	identity_helper.exe
776	identity_helper.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	2Xd7831.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: 33	2260	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2260	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1188	1aF72hB0.exe
1188	1aF72hB0.exe
1188	1aF72hB0.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1188	1aF72hB0.exe
1188	1aF72hB0.exe
1188	1aF72hB0.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3344	2Xd7831.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 4380	3264	6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de.exe	84
PID 3264 wrote to memory of 4380	3264	6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de.exe	84
PID 3264 wrote to memory of 4380	3264	6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de.exe	84
PID 4380 wrote to memory of 1188	4380	Aq8fa68.exe	85
PID 4380 wrote to memory of 1188	4380	Aq8fa68.exe	85
PID 4380 wrote to memory of 1188	4380	Aq8fa68.exe	85
PID 1188 wrote to memory of 1820	1188	1aF72hB0.exe	86
PID 1188 wrote to memory of 1820	1188	1aF72hB0.exe	86
PID 1820 wrote to memory of 4588	1820	msedge.exe	88
PID 1820 wrote to memory of 4588	1820	msedge.exe	88
PID 4380 wrote to memory of 3344	4380	Aq8fa68.exe	89
PID 4380 wrote to memory of 3344	4380	Aq8fa68.exe	89
PID 4380 wrote to memory of 3344	4380	Aq8fa68.exe	89
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3180	1820	msedge.exe	91
PID 1820 wrote to memory of 3236	1820	msedge.exe	92
PID 1820 wrote to memory of 3236	1820	msedge.exe	92
PID 1820 wrote to memory of 1992	1820	msedge.exe	93
PID 1820 wrote to memory of 1992	1820	msedge.exe	93
PID 1820 wrote to memory of 1992	1820	msedge.exe	93
PID 1820 wrote to memory of 1992	1820	msedge.exe	93
PID 1820 wrote to memory of 1992	1820	msedge.exe	93
PID 1820 wrote to memory of 1992	1820	msedge.exe	93
PID 1820 wrote to memory of 1992	1820	msedge.exe	93
PID 1820 wrote to memory of 1992	1820	msedge.exe	93
PID 1820 wrote to memory of 1992	1820	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de.exe
"C:\Users\Admin\AppData\Local\Temp\6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aq8fa68.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aq8fa68.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1aF72hB0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1aF72hB0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff85b6d46f8,0x7ff85b6d4708,0x7ff85b6d4718
        5⤵
        
        PID:4588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
        5⤵
        
        PID:3180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3028 /prefetch:8
        5⤵
        
        PID:1992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        5⤵
        
        PID:2808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        
        PID:4656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
        5⤵
        
        PID:4752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
        5⤵
        
        PID:3800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5352 /prefetch:8
        5⤵
        
        PID:1604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 /prefetch:8
        5⤵
        
        PID:4900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
        5⤵
        
        PID:1152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
        5⤵
        
        PID:432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
        5⤵
        
        PID:4084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
        5⤵
        
        PID:756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
        5⤵
        
        PID:3716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,4052724884112543885,14298843239265927948,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5144 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Xd7831.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Xd7831.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Drops startup file
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4176
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      PID:4288
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x24c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
7f507b1cf5c1fa091815094b518eedf8

SHA1
44c7dc1010a72bd1c1d9ecf2d646d37c30b0f016

SHA256
5af14c741019c0599399b6688512749c26e9aa57a61b9203def2b80d00f0696a

SHA512
3d1d5f87c75b87eb2b53f3a593cb86dd4965b2e4d229393e967c36cb7adcd386b0b2c8aac2fc6f85dbb638ad7295c29e17a2d6d29d33ae89a1abb1c369290b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
813f82f13a3da70c0047712765985ce6

SHA1
ff3fb4ed8e197431c10c624a2f66b09c2d4b638b

SHA256
e399dceee1ebaa26ec161075e6cb9dac27a2d34927d7fba5dd74c49324b94aa4

SHA512
6fcc6174b9f26ef29f882bebcd2793ec2a5ddfb1453ff6800b83b6fe09aff84e63abfdd4d14a4e5d554d7dd9ece953292a9d294f1d92f0b64e0731bc85bcd4d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
00576596054080360633f17232cbcdd5

SHA1
10daa2ae7daf898783678f945b5ae53f532d56ca

SHA256
dc6fc844661c46dbe30442043032613e38f411d4f3ea27ea9b6ec593a8dbef95

SHA512
53818b9ca833a8d3296978447487cb3131de27535c321342450845129b75466839d81e7e48b768186a79c09191f2b3683c6771f12b5d78086cfdabc34ff98bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
656fb3472b4a6a2337f2171851cc99ef

SHA1
7da743e15630975a3dc6002530cd1b41306328a3

SHA256
24adf858c1bf3abe128cbcb133776adf0edf5c6a3715e08b8518edf4d6f077d8

SHA512
cbe3af4d10af82c88e0acd1168cb8f26d81bc2854ed68940e27d49c050ce1920ecf552804bb7939473ee20d8f9257ca9f9cfa7f53201993ddf461ef9dcd32b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e746f484c4a6879398be4e8fa87cfaa8

SHA1
b21e73df88540cd8aa8e7f5bc197b7bf049e796b

SHA256
eff3d67ff8dc2572431a51aa1152b4413014adb2ed03efa13bf101f322105096

SHA512
b20eefeb1a8e5e511473a1f7f85e7c8a15a835b315bc03739c179590f35bc9306100aa179bf829563f12bc7fe3295bcd5dc8c2fc3ee8eb85ea5b244693ea128a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ff6f162d-1675-4300-8c9c-8d20ea6f9d87\index-dir\the-real-index

Filesize
2KB

MD5
b6f10c0c6e26ff27434e614feca510c3

SHA1
a8ca570d0e2b690e32d6ad4056860407093dfbc2

SHA256
c0f74ec531ce5d2e28cb46254e7a8b493204dfb20a0fb9bb0e5b6293eef8a408

SHA512
1966e698b4c211dc28d2a6ce0b4e1f2796548e3f87719f518d417c1f1f146e007d35151a717be6b81c1ad74777f839c8c0512d0b1d935481b15386b00dfbad6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ff6f162d-1675-4300-8c9c-8d20ea6f9d87\index-dir\the-real-index~RFe57b287.TMP

Filesize
48B

MD5
d8875a3b5cfc48c86794c2c5b96189b1

SHA1
c3c491f27afc8fe8ef7b3e140c11b5a1af18eb26

SHA256
f5d91c146054172a60f359078f721b75a18b0f502d999db2c4a4cc2efb487478

SHA512
6c7d3f7e718e0e3bda5be02c3fafcda89bfd0a3153a2334a52f619f06e40c49b0042c862c606d770634b22ff23ce6f5c0472e45e0c84b4fb486d34e1ce4fd17f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
6e8abba744a466e427e51adc2b230759

SHA1
9fec64146412ebca024d66f3e866309e94b82d5c

SHA256
5665283c9896fa73c89520e1719685314c3a88c645883a31367431919c6c850f

SHA512
a52a3098f7303ecd394e55559041b4797075143492b875e094b3c6ae316e55e9f524b62ec3f2368ee25d8a6942a2700f106d6c3e36f33c9e9bda3224083dce31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
55720cd2df1a1ce7aa20c06a892e2979

SHA1
2b35360c37e2389d234c72bdc8b8d110725961a3

SHA256
82acd029d4862dd9b0530e578a017eccce21cc3026ef622914807580c6e46ca8

SHA512
eebd8ab89c4567044e594ef0a113b4b44ac21bac1746caa536a1001067d3d08088daba081cb12e405e0a89c5eb7ea12eb699296a98d627426b623255bb9b931f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
c6437694ecefe29761992af8b2cf5963

SHA1
804ea196785978cd404e7985df169fb229df66a3

SHA256
88810c1d28b9087101d394cb27987dc97403dfdd3ab02f60e07aa275e98d5ba8

SHA512
f853a768c8f3497df1d8e8ae1b89a41c43e85b1e63fe8870e902c9c34253c4bc31fb35d959a8a3d92812cb6a4fbae5eabe9b00dc910d1bbdea78a4f96e533ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
aa085d048ec3683110a849a19f393f22

SHA1
e35814baa3f73daefdc9e2e9d6ca6b63e234a302

SHA256
f900adb4ecc5108fbf6ee8b0e171cfeaad5aa120b75e26d565c5895c8df496be

SHA512
4aade8559b9a33abd3b12698644d51c0bd4f6f3f1de3935fa6c1c10b6185b18b738dd5894f7f75c2ad8b467926dca9b6ee5a9bcc00fbaafdaea5bd2f25dc2afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
abcc1d879ba73c3882fc373955b06f09

SHA1
0765190e2a256487018b0390ded8923f7d1b079c

SHA256
8bc7f14d0387e56d635187f6b0b1b0cf9ac80500d26029c9f4fa231b4a260d2c

SHA512
eb14633a9b742697f681852611d048316e77567a846f6297cf4987d3b7f93853b4e49caeef71801613f380273931335eeb02965f432efaf81606d088274ce8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ad95.TMP

Filesize
48B

MD5
248d882948b7ea211a5b9fdb666816d1

SHA1
9bc6581f72fe2ec3bf27a2566c744c3e80e9ff2f

SHA256
f362ca45f587b7500a10b3df6b57bca08baa3685da9d69ce04353a2f0cbbeb49

SHA512
4bafaffa2d8227159c67d33fd0eaafacef7854c2525ad4c30853307c6c61e73c10937256233c9b14c6b274df1525c8071658694352057d6650842ef5df87e8e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3d530a64e9efba394b45569e4ebd1ab7

SHA1
249695724b081ce7351ce65f7cc5256f7d6bfd3c

SHA256
00a045ca4b099baee25c1e23fdd528a423148b997c004f1165437f84c816b1e6

SHA512
6b2e5dcc14cb96a8befe5bc652453818728fab8109cb8de94e6f72e92b77958aa02906c21b872b0588f4c627d73f62085f309659e7f18cd76c62adefca7205b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aq8fa68.exe

Filesize
2.0MB

MD5
e1ca89e321f8198d4253c9178eb523ff

SHA1
fe072ee589998082c37b054c4d8e4f0a6aa4eeb7

SHA256
3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

SHA512
af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1aF72hB0.exe

Filesize
894KB

MD5
3e82adb682d9d441331dde8a3c888f6e

SHA1
6dc1fe6731402b85d721946e65559a375878a3e1

SHA256
4b87018ae58796055ba9ae76bc21519c1e51f7dcfa79344b27047efec6d9d666

SHA512
f346d6eea780ae0cf5faf8fcbb7815a0c461de710a013ac5106c9eaad31dd778765c8709550911921653a13c3e94e5d860b472a671944b51edfa840c019ccca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Xd7831.exe

Filesize
1.5MB

MD5
fb69bac77dd5e98885e6caea73271736

SHA1
51ad255e0b6ffe879375c4cda30f8791a13e1c55

SHA256
302f18643a0476b96ae334230de72d315f753902124fbb9b97d73d73941eed7e

SHA512
3558688f41a573793d4d717316b1243d1371bb02f7f2c41a5156c60fdbc66a38ab36ce0f3c57f6fb4f4da5b546b6f18eff663d5647829432c02ce2693f856716

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3mtjspe.fid.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3344-42-0x0000000008F30000-0x0000000008FA6000-memory.dmp

Filesize
472KB

Download
memory/3344-415-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-400-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-390-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-380-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-370-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-416-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-369-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-368-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-417-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-418-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-421-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-422-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-434-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-36-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-33-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-308-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-17-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/3344-326-0x0000000000B30000-0x0000000000F9C000-memory.dmp

Filesize
4.4MB

Download
memory/4176-62-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/4176-269-0x00000000079D0000-0x00000000079D8000-memory.dmp

Filesize
32KB

Download
memory/4176-268-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/4176-263-0x00000000078F0000-0x0000000007904000-memory.dmp

Filesize
80KB

Download
memory/4176-262-0x00000000078E0000-0x00000000078EE000-memory.dmp

Filesize
56KB

Download
memory/4176-175-0x00000000078B0000-0x00000000078C1000-memory.dmp

Filesize
68KB

Download
memory/4176-150-0x0000000007930000-0x00000000079C6000-memory.dmp

Filesize
600KB

Download
memory/4176-147-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/4176-136-0x0000000007D00000-0x000000000837A000-memory.dmp

Filesize
6.5MB

Download
memory/4176-137-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/4176-126-0x00000000075B0000-0x0000000007653000-memory.dmp

Filesize
652KB

Download
memory/4176-115-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/4176-125-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/4176-114-0x0000000007570000-0x00000000075A2000-memory.dmp

Filesize
200KB

Download
memory/4176-73-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/4176-74-0x0000000006390000-0x00000000063DC000-memory.dmp

Filesize
304KB

Download
memory/4176-68-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/4176-61-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/4176-60-0x0000000005BE0000-0x0000000005C02000-memory.dmp

Filesize
136KB

Download
memory/4176-57-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/4176-56-0x0000000004DE0000-0x0000000004E16000-memory.dmp

Filesize
216KB

Download