e26fabd2c7ff2793a03e50751c6b5c5606cd0dcc9f0fbec237db01080085c327

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe
Size

2.0MB
MD5

e1ca89e321f8198d4253c9178eb523ff
SHA1

fe072ee589998082c37b054c4d8e4f0a6aa4eeb7
SHA256

3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a
SHA512

af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d
SSDEEP

49152:SxZh3SQ5yCsV/BuPeQePc/yRrkS2TCwuRI7V1GiTCBC3O:WSp/iucmAS2TCFIB1RTC

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

2Xd7831.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	2Xd7831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2Xd7831.exe

Drops startup file 1 IoCs

Processes:

2Xd7831.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2Xd7831.exe
Executes dropped EXE 2 IoCs

Processes:

1aF72hB0.exe2Xd7831.exe

pid process

4748 1aF72hB0.exe
2732 2Xd7831.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2Xd7831.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2Xd7831.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2Xd7831.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe2Xd7831.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2Xd7831.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1aF72hB0.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

2Xd7831.exe

pid	process
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe
2732	2Xd7831.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3592 schtasks.exe
468 schtasks.exe

pid	process
3592	schtasks.exe
468	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exepowershell.exeidentity_helper.exemsedge.exe

pid	process
3224	msedge.exe
3224	msedge.exe
1852	msedge.exe
1852	msedge.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
3548	identity_helper.exe
3548	identity_helper.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1852 msedge.exe
1852 msedge.exe
1852 msedge.exe
1852 msedge.exe
1852 msedge.exe
1852 msedge.exe
1852 msedge.exe
1852 msedge.exe

pid	process
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2Xd7831.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2732	2Xd7831.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: 33	1140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1140	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

1aF72hB0.exemsedge.exe

pid	process
4748	1aF72hB0.exe
4748	1aF72hB0.exe
4748	1aF72hB0.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

1aF72hB0.exemsedge.exe

pid	process
4748	1aF72hB0.exe
4748	1aF72hB0.exe
4748	1aF72hB0.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2Xd7831.exe

pid process

2732 2Xd7831.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe1aF72hB0.exemsedge.exe

description	pid	process	target process
PID 2620 wrote to memory of 4748	2620	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	1aF72hB0.exe
PID 2620 wrote to memory of 4748	2620	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	1aF72hB0.exe
PID 2620 wrote to memory of 4748	2620	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	1aF72hB0.exe
PID 4748 wrote to memory of 1852	4748	1aF72hB0.exe	msedge.exe
PID 4748 wrote to memory of 1852	4748	1aF72hB0.exe	msedge.exe
PID 1852 wrote to memory of 552	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 552	1852	msedge.exe	msedge.exe
PID 2620 wrote to memory of 2732	2620	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	2Xd7831.exe
PID 2620 wrote to memory of 2732	2620	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	2Xd7831.exe
PID 2620 wrote to memory of 2732	2620	3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe	2Xd7831.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 2788	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 3224	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 3224	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1592	1852	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe
"C:\Users\Admin\AppData\Local\Temp\3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1aF72hB0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1aF72hB0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ff8eef846f8,0x7ff8eef84708,0x7ff8eef84718
      4⤵
      PID:552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:2788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
      4⤵
      PID:1592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
      4⤵
      PID:208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:3500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
      4⤵
      PID:1472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5248 /prefetch:8
      4⤵
      PID:2572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5396 /prefetch:8
      4⤵
      PID:1364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
      4⤵
      PID:4524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
      4⤵
      PID:1080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
      4⤵
      PID:2820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
      4⤵
      PID:2808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5734121705633015398,4466683165052065509,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4388 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Xd7831.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Xd7831.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Drops startup file
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    PID:2968
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
570482845a6987cb3e8272c67a8390a2

SHA1
3de67192263b003af1804d410d5fe0e68083ff8a

SHA256
bab679fe8bf1172e92f4d78c33ce45f9077bb3ceea384ef01e822185935029e7

SHA512
4dc6110c591eed12c5a5fba4011875612d864e7c787c194d290ad7f0f6679eae6be59aa37b831eeb928829dbdaa4025c194b82620f62750e3b6e8e5a4584bff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
34af5c174bacb4bb7d839012809aecb8

SHA1
759ffca10a9f9babf72fd1507e084ecc5fe418e1

SHA256
a3070d26f26aaeba0eeea6828cf9c7c6ab371bd6996dcf4151486b84a91e39a4

SHA512
a8ba90cb5769534ee078b83379ef7a043f2bdd58e18a5b70a077d72678892216ece5e95c7d56db1e7c9bd17f24378c0f8f4440a5302feeddd86c7ae7afdb2afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9364e1154fba6a242516995d2ac1fc58

SHA1
bb2dd0abb58077ddc276c10605f8a6aeb5ff3988

SHA256
7a4688502cbaf688323c2e9b89145b51ef331eb010fbe5bcb62e47c4e62fb2f2

SHA512
4015d2840b33319c26be1c0bef3580d854a0c07c97785714ab00d684e6b61537024bc142e6c18f9fb7829253a4ee038fab1c103810c00133139f30ad043f8d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e753bcb93af224f4bf329b4c7b5907a

SHA1
c24508223a7ae0a91ed15f47b23dd457c6d4526f

SHA256
5e1fc56d75ba5d823994fc1a0597f9b381b0031f6e4f582c16307b8393717e71

SHA512
037a638dcb8dbed0e840c9af14cd8377ebff98b8d1f00993d674077da4f17b2b5df3c0ae064655bfc786fe019b4b1df57b13cab8537e3a5585ad160f0b9b07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc21e78cd452f4e0755af8137d633a06

SHA1
2d81789e5fcb6aa5c4732a7c9c45a4d6d1ce45f5

SHA256
86c085a3368548d2588265a4dd9a0b681def09f9a48ce98f13aa8ad89d4d3fad

SHA512
07bc8f9cd3c821b80db30df3a644389dfe29fd6b21bea96f08949a97f15ec432238235cb279f7c495ca845be35397c90755a0445f037a6946ea54e591d5516e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5a3b3f16-5e3b-489e-9043-91048cf30d1d\index-dir\the-real-index

Filesize
2KB

MD5
68b85a58f5caef77db5c544279f318b5

SHA1
973b86a6cafc55a95f65d592b1382b00c3f3ace4

SHA256
89279d2dc351c7be39a79c640eee06a3d28bd43aa38759fd4a0bb40cf0b2d8e2

SHA512
e477f94ad0b2b053ed46a9b433b357ef76fc04457b31e6289f83c4abf3e02e29ef7a48d1d092a8d1c39f018c628a3aaa0180d549966b86ef287df245b76451cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5a3b3f16-5e3b-489e-9043-91048cf30d1d\index-dir\the-real-index~RFe57b892.TMP

Filesize
48B

MD5
cafe497e62947f6a0e40589b21ba303a

SHA1
bd230da7792dcbc56d32a899e939b41aa9f2a2ec

SHA256
ef293c194b4100081469d8affccf9902824241e491e00b4f677e330b9e071718

SHA512
9d914316df3a1b5dbdef2887409d0bc74345760c8226887a867c54ee8671205956af330e01db34f3df5a549fc4ab6da322985042cc9ed97189b184bb00a1196f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
c32311bfc419da4236f1fc306e8cda92

SHA1
2995433c4cc802a303c665136575ef274c7fdf59

SHA256
08483178b98822f5c0f6b5464061896cd0bb0e9f1be8d9af508078a7cdbd2d3c

SHA512
5287405aac4081585758b60dc3e68890a50f7e29ab173a83c18f42f445eb425b72797c44f81b3a78b81830f7f8e6f479c2607e55cd2e773eb7a5291aea1dddc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
9f94871b7de8f82bca7cb73df7d9ea6d

SHA1
1b9a89e1ba68f4d38e1d748b76d174f9fe38263e

SHA256
624dd8a8af0e600af01a2e0bdeddbf2197c4a94e4c83794b2dfcace6767590d2

SHA512
040bec47596012af1b41c1c8eeb84801bb4efa2bdc1f3ae69459215bc9fbb7fb5b11e38fdadfef7fe236aaa08cdad7ea302315ebaae5a2b6ce4469f226d8704f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
66a5403ade2602edc7331aac4cb25b4b

SHA1
0ea21a14f79efd24c333fd24958cd01dd275b654

SHA256
7954171c464ab997b6db905e67662f4a29d2cc4a0949f487c0c5d0ab796ab3d6

SHA512
ac3e7ea289c39394b5583e52cc18fd79e73b1e39dfd23634cdacd4494183644c4cbe77e03a4784f71a32e3c583732af7dbe3a6c0ccb94e11a3189b9e862b69c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
cba3dfad0598f28524fa3a3f35337794

SHA1
97fcd3fd1ec9ece5fbf9517d75052196d9f3cdfa

SHA256
1a080ae7e60a40a48d0dcd0dcf7b60e61a654e2abe770f3f6642cdc750bcf608

SHA512
282a05c1ddf8c8e141958fa74835421cb2c1f98f74cef91e8e066eceb806d8d73df950fa51f574a3b782658c4136ffaa5c6e683dfdf9015340a5929a7e43a404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
515f67fe9699ca5629fb1d8613bae36e

SHA1
17821e57bf06494d55d3e7938fdcbd1db85bfefb

SHA256
4f4aaf954ec1b1be19453a91d22d557f4a251ba330464ff84549cea1887ea426

SHA512
429b0986a94aed3d6ef9f5add840dce2c30a900c82cc137824da39bf665527a2155983f50c17640a6391f15c15190fcde572744d91cc90c275225fba3f074229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b277.TMP

Filesize
48B

MD5
7ee4251ddf0a5d42c2fed57e3426b236

SHA1
0353c729da3f58e370441558abffada0ddfaf958

SHA256
f837c4ae956f846765a0df4929ae78f5b97064dec3cfb58d8a3082bca5ba970e

SHA512
80ebaf269892dbc727d0714744ed86624384d4318fce88fe40e6cc113055882cbdd06e369a52c8c2ad98daf6b470d494ac656870902efe1215a20c7f98f07711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c18ee32a02a101b30e5913071d03f96b

SHA1
1a314a40444b5bc2d50393ea6cef4e968c9e826d

SHA256
c12449623132db06437955440f4c922c2f1dd2e82121b85e88c930d8f0d3ad87

SHA512
a540a7efbe3efaabc4bf8a59c68aa2f4fd5f8605788c9e9711767e3cf145af8e63b8c5c7ddb1d7af2ff97b7749c5407c6536da97ebf0b5822cde78e3f0ba83e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1aF72hB0.exe

Filesize
894KB

MD5
3e82adb682d9d441331dde8a3c888f6e

SHA1
6dc1fe6731402b85d721946e65559a375878a3e1

SHA256
4b87018ae58796055ba9ae76bc21519c1e51f7dcfa79344b27047efec6d9d666

SHA512
f346d6eea780ae0cf5faf8fcbb7815a0c461de710a013ac5106c9eaad31dd778765c8709550911921653a13c3e94e5d860b472a671944b51edfa840c019ccca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Xd7831.exe

Filesize
1.5MB

MD5
fb69bac77dd5e98885e6caea73271736

SHA1
51ad255e0b6ffe879375c4cda30f8791a13e1c55

SHA256
302f18643a0476b96ae334230de72d315f753902124fbb9b97d73d73941eed7e

SHA512
3558688f41a573793d4d717316b1243d1371bb02f7f2c41a5156c60fdbc66a38ab36ce0f3c57f6fb4f4da5b546b6f18eff663d5647829432c02ce2693f856716

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhhwofgv.mbq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_1852_TJJFYMYTEMEFEDJO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2732-407-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-405-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-398-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-371-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-369-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-359-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-358-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-357-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-22-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-9-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-406-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-404-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-408-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-411-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-423-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-34-0x0000000009470000-0x00000000094E6000-memory.dmp

Filesize
472KB

Download
memory/2732-312-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/2732-315-0x00000000002A0000-0x000000000070C000-memory.dmp

Filesize
4.4MB

Download
memory/4724-55-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/4724-261-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/4724-260-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/4724-259-0x00000000077D0000-0x00000000077E4000-memory.dmp

Filesize
80KB

Download
memory/4724-258-0x00000000077C0000-0x00000000077CE000-memory.dmp

Filesize
56KB

Download
memory/4724-152-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/4724-150-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/4724-141-0x00000000073F0000-0x00000000073FA000-memory.dmp

Filesize
40KB

Download
memory/4724-138-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/4724-139-0x0000000007380000-0x000000000739A000-memory.dmp

Filesize
104KB

Download
memory/4724-115-0x0000000006830000-0x0000000006862000-memory.dmp

Filesize
200KB

Download
memory/4724-131-0x0000000007230000-0x00000000072D3000-memory.dmp

Filesize
652KB

Download
memory/4724-126-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/4724-116-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

Filesize
304KB

Download
memory/4724-69-0x0000000006270000-0x00000000062BC000-memory.dmp

Filesize
304KB

Download
memory/4724-68-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/4724-52-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/4724-54-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4724-53-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/4724-49-0x0000000005440000-0x0000000005A68000-memory.dmp

Filesize
6.2MB

Download
memory/4724-41-0x0000000002990000-0x00000000029C6000-memory.dmp

Filesize
216KB

Download