stealc | hxxps://salonvinsvicto[.]com/wp-content/folder/server3/AppFile4[.]rar

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://salonvinsvicto.com/wp-content/folder/server3/AppFile4.rar

Score

10^/10

stealc vidar discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

Detect Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1200-190-0x00000000010C0000-0x0000000001307000-memory.dmp	family_vidar_v7
behavioral1/memory/1200-221-0x00000000010C0000-0x0000000001307000-memory.dmp	family_vidar_v7

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation setup.exe
Executes dropped EXE 2 IoCs

Processes:

setup.exe8MCQaOBeVq7MWHZTeFd2ucaa.exe

pid process

3916 setup.exe
1608 8MCQaOBeVq7MWHZTeFd2ucaa.exe
Loads dropped DLL 1 IoCs

Processes:

FUT.au3

pid process

1200 FUT.au3
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	setup.exe

pid	process
3916	setup.exe
1608	8MCQaOBeVq7MWHZTeFd2ucaa.exe

pid	process
1200	FUT.au3

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3916-130-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-135-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-137-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-138-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-139-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-142-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-141-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-140-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-150-0x0000000140000000-0x000000014131E000-memory.dmp	themida
behavioral1/memory/3916-165-0x0000000140000000-0x000000014131E000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

80 iplogger.org
81 iplogger.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 api.myip.com
59 api.myip.com
60 ipinfo.io
61 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

flow	ioc
80	iplogger.org
81	iplogger.org

flow	ioc
58	api.myip.com
59	api.myip.com
60	ipinfo.io
61	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exe

pid process

3916 setup.exe
3916 setup.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

8MCQaOBeVq7MWHZTeFd2ucaa.exe

description pid process target process

PID 1608 set thread context of 4908 1608 8MCQaOBeVq7MWHZTeFd2ucaa.exe comp.exe
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

FUT.au3

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FUT.au3

pid	process
3916	setup.exe
3916	setup.exe

description	pid	process	target process
PID 1608 set thread context of 4908	1608	8MCQaOBeVq7MWHZTeFd2ucaa.exe	comp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FUT.au3

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

Processes:

OpenWith.exe7zFM.exemsedge.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2848 NOTEPAD.EXE

pid	process
2848	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe7zFM.exe8MCQaOBeVq7MWHZTeFd2ucaa.exemsedge.execomp.exeFUT.au3

pid	process
1724	msedge.exe
1724	msedge.exe
2492	msedge.exe
2492	msedge.exe
4760	identity_helper.exe
4760	identity_helper.exe
3428	msedge.exe
3428	msedge.exe
5108	7zFM.exe
5108	7zFM.exe
1608	8MCQaOBeVq7MWHZTeFd2ucaa.exe
1608	8MCQaOBeVq7MWHZTeFd2ucaa.exe
1608	8MCQaOBeVq7MWHZTeFd2ucaa.exe
5108	7zFM.exe
5108	7zFM.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
4908	comp.exe
4908	comp.exe
4908	comp.exe
4908	comp.exe
5108	7zFM.exe
5108	7zFM.exe
5108	7zFM.exe
5108	7zFM.exe
5108	7zFM.exe
5108	7zFM.exe
1200	FUT.au3
1200	FUT.au3

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

3692 OpenWith.exe
5108 7zFM.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8MCQaOBeVq7MWHZTeFd2ucaa.execomp.exe

pid process

1608 8MCQaOBeVq7MWHZTeFd2ucaa.exe
4908 comp.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2492 msedge.exe
2492 msedge.exe
2492 msedge.exe
2492 msedge.exe
2492 msedge.exe
2492 msedge.exe
2492 msedge.exe

pid	process
3692	OpenWith.exe
5108	7zFM.exe

pid	process
1608	8MCQaOBeVq7MWHZTeFd2ucaa.exe
4908	comp.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zG.exe7zFM.exe7zFM.exe

description	pid	process
Token: SeRestorePrivilege	3608	7zG.exe
Token: 35	3608	7zG.exe
Token: SeSecurityPrivilege	3608	7zG.exe
Token: SeSecurityPrivilege	3608	7zG.exe
Token: SeRestorePrivilege	2784	7zFM.exe
Token: 35	2784	7zFM.exe
Token: SeRestorePrivilege	5108	7zFM.exe
Token: 35	5108	7zFM.exe
Token: SeSecurityPrivilege	5108	7zFM.exe
Token: SeSecurityPrivilege	5108	7zFM.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

msedge.exe7zG.exe7zFM.exe7zFM.exe

pid	process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
3608	7zG.exe
2784	7zFM.exe
5108	7zFM.exe
5108	7zFM.exe
5108	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious use of SetWindowsHookEx 54 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exesetup.exe8MCQaOBeVq7MWHZTeFd2ucaa.exe

pid	process
3808	OpenWith.exe
2132	OpenWith.exe
1972	OpenWith.exe
3692	OpenWith.exe
1972	OpenWith.exe
1972	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3916	setup.exe
1608	8MCQaOBeVq7MWHZTeFd2ucaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2492 wrote to memory of 5064	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 5064	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4404	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 1724	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 1724	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe
PID 2492 wrote to memory of 4608	2492	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://salonvinsvicto.com/wp-content/folder/server3/AppFile4.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa087846f8,0x7ffa08784708,0x7ffa08784718
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8652039773446534741,10931159466345160337,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3200

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AppFile4\" -ad -an -ai#7zMap4407:78:7zEvent2461
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3608

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\AppFile4.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2784

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\AppFile4.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5108
- C:\Users\Admin\AppData\Local\Temp\7zO4F3A2F88\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4F3A2F88\setup.exe"
  2⤵
  - Modifies firewall policy service
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:3916
- - C:\Users\Admin\Documents\SimpleAdobe\8MCQaOBeVq7MWHZTeFd2ucaa.exe
    C:\Users\Admin\Documents\SimpleAdobe\8MCQaOBeVq7MWHZTeFd2ucaa.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    PID:1608
  - - C:\Windows\SysWOW64\comp.exe
      C:\Windows\SysWOW64\comp.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\FUT.au3
        
        C:\Users\Admin\AppData\Local\Temp\FUT.au3
        5⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4F362798\Licenses.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
1fd9a30f3f614083f28f0b610599e913

SHA1
64284bcf648dca1455967a646a8caee8ab2f84ec

SHA256
d5094c5a92cb908c4df3ce22d426380e3f7db25c521a1691d7313d426c3ec3a7

SHA512
6d42ff315ebeb186528aeadfd0a0160d1b39309984c19322e818e3c049ca850eaaec3461dfdd9ee203d56d08f0931dfa41d90dd3ee629f4fb0e55079a8f4d11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
406B

MD5
cb51bd5d095533716157765645ed632f

SHA1
b0f815cbd6a44757b52d6c28509edb095659eb19

SHA256
1b24d14a0f4d1df5bdefd8c8c5878c0e2ccf9b481660e34572d4d4ab74da72ee

SHA512
fc0351cbfad8896ba774ca8005a1c0b6ac82f08e132596adfa2c1ba074b5e90e6e9bdfe6612defdae35c4c52a81aa8da091ff51c396998310ed29e15dbc0ce87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ba0a8c76c00063431d33bb4d0a9c436

SHA1
0773448155de021ba042c6880d897047ea7af5a8

SHA256
df7e03d1f0006ca500fd47511eb8eb7f95449b6487830769d7698f29378183af

SHA512
e7bba51c3e4fdf8ac779f8ee92617b49076ba7e9e76e00cb719464d2d6c32c527de37ec9821412a486466c04205f8951dc6bcc73fa8b269f343fcb4a97cbae03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b278bdd619210b6f5e6e75eb1e0d512a

SHA1
214d85cd10ae34de6bc298dd54975586a49bb574

SHA256
5855ada4747d22d2e520a854f670c1133e25fcc9127dd39af1e503d44051568e

SHA512
ae596eed36a1d83eb9e669c1f0d1082e301a824c1a4d5fd6e7fba9e7abfc8fe4161c99a1901d0e5da2aadcfece15180376db7ac487ed028c489f2455942ae2c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c84e422b7fe0d4eb8fe6ad62b5237c67

SHA1
f4ccbec54dfa72c7b4fdfbb740e35be8d321a4d7

SHA256
84f9942bc3b20fa9fe74f35e349b11cfa845fb2fe0fa07a95ea1b16a5d74d4cb

SHA512
d0df4abfa82ea6ac8462d7f2e44d606545c1c2cef1967161b7e783f6093918ad1bb0a2d1ed73d4f04be6d37c2d4823d086adc82668f78c5158a09114f7d57d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a944d76baddec657752fc2bdd9413c34

SHA1
537a593032ed7526a5877793a639b8c4583278f6

SHA256
4fce8e142dbec486e9cf71b9b89054f4a8b022e6a32a2bede9ad3b7903cadb36

SHA512
c8c4c43f16610845bcbf07b9aed4bdee4bcdf7d5f14e87cd5ac1360ed343464d3569cfea2f9788a0a8e8a33b22f5d847f64500071a58629f82a128667425222e

Download Submit
C:\Users\Admin\AppData\Local\Temp\45c1e8cf

Filesize
1.7MB

MD5
3db39aa30df77ddcb2e5b50998a869f4

SHA1
fcfaa9cadaf8332aa6eb4c438036ff17a2899cc9

SHA256
57387226ddda11faf8909e4edd47ae3d4edac978c035308ba63a5686e580e52a

SHA512
596e9833febcdb4c1e84d79258cb305618a252f35d4760be7be695c7abe4ee014b085a7afc33fc6252f0c93affcc8ca405915b8942bd41e736c3a3cf3ab48ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\491ec7c4

Filesize
1.7MB

MD5
2d87a85cb411fb71ac08c6ef5c0a6940

SHA1
651a599f3825ca9ddbe865d1310cd41015f77788

SHA256
ea2cef3e518b57b864b168cfc2472bdee06babe199ec410a033a685c14e71d6b

SHA512
f910037432334fbc3a7c7de4782188371eb2483d087b82b670f0c63537d10acb10332b5693a590a368f0b56933b791c1c684ae2c46dcd72ffb25d5cd3d0885d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4F362798\Licenses.txt

Filesize
131KB

MD5
bfe80d65cc4a7f039156a5d7bb258f58

SHA1
d4b9c2fb2dba70e5208ee3eb84cdb55a74858fdc

SHA256
a8b01bfc0898b04d2027af87d0594bc901cf97766ae1101272463750217ab6d7

SHA512
c0bce0daa8932f60db2c13a5b1f1cef329da56eb0e51d8ee617dc12ca0e8b2867f50deefb6ebe6205da3ec947342793f7134a21bad77854fd80b5d1f79fb838c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUT.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\8MCQaOBeVq7MWHZTeFd2ucaa.exe

Filesize
5.0MB

MD5
a4e84bdb6fba7b3c5689b0f2bc5ec858

SHA1
6ef4aaf5a594b23cb64e168824b1fc2376cf6c5e

SHA256
48605846c229a73a9695d0a6567982bb558e5108b2251b74ad2cdba66e332632

SHA512
c2241abab28b6d31f33fb17b89983fbfdfe03d55ca1078e8de29e4b56328ed5933c577c0e0865d8edcf897b9d752e8a011a22297f9d87cb683ce9f0522f763ea

Download Submit
C:\Users\Admin\Downloads\AppFile4.rar

Filesize
9.2MB

MD5
278e5d2bfec18a1ca9f027469451d830

SHA1
5b1c8523c8de3676b7e54cbb3070223a89bbaac6

SHA256
9f221a665c1cdef1711825ede8663446ce5ebbecba750af54b9d23ba003a81f4

SHA512
ba0134b9df7f99bd251b8c77ab6cf3a4862dfba6c8a693de8fa30c059716b1c30b549f6d0e15e9fa9224cba36badc46ac0cc5679f17adcf91e86d458853d3a78

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\??\pipe\LOCAL\crashpad_2492_GEEJKVAAHWOLIPQF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1200-190-0x00000000010C0000-0x0000000001307000-memory.dmp

Filesize
2.3MB

Download
memory/1200-221-0x00000000010C0000-0x0000000001307000-memory.dmp

Filesize
2.3MB

Download
memory/1200-207-0x000000001ADC0000-0x000000001B01F000-memory.dmp

Filesize
2.4MB

Download
memory/1200-192-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/1608-174-0x00000000739C0000-0x0000000073B3B000-memory.dmp

Filesize
1.5MB

Download
memory/1608-173-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/1608-166-0x0000000000400000-0x0000000000903000-memory.dmp

Filesize
5.0MB

Download
memory/1608-172-0x00000000739C0000-0x0000000073B3B000-memory.dmp

Filesize
1.5MB

Download
memory/3916-165-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-141-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-137-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-135-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-138-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-139-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-150-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-142-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-130-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/3916-140-0x0000000140000000-0x000000014131E000-memory.dmp

Filesize
19.1MB

Download
memory/4908-180-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/4908-184-0x00000000739C0000-0x0000000073B3B000-memory.dmp

Filesize
1.5MB

Download