c09c897d516e49643df90a122cfbb8a0780601caa702908f2b6f39013b546780

Analysis

max time kernel
262s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
02/08/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ComPg.html
Size

3.7MB
MD5

504581a087270caa44e6ef327bde86fe
SHA1

b0410a600ef206790bf489b411d28921cfccf273
SHA256

c09c897d516e49643df90a122cfbb8a0780601caa702908f2b6f39013b546780
SHA512

4ed7db3faea43b47efe00a63c8ba251eee6c2e41d637f09fa54b0a760594811355c231349a65a5af7a95056e26fd794516c730a6b28e8a9ee35b30d3edf5e76b
SSDEEP

49152:Cj+jKswn4dY2oW3K+BUisapPYI3jr5+KUa0axL23RC:/

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5072	SH9599034.exe

Loads dropped DLL 21 IoCs

pid	Process
644	MsiExec.exe
644	MsiExec.exe
644	MsiExec.exe
644	MsiExec.exe
644	MsiExec.exe
644	MsiExec.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nebgjyele = "C:\\R455dAADR\\SH9599034.exe"	SH9599034.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
27	644	MsiExec.exe
33	644	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5863df.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{871C848C-E87B-47EC-9299-C4B5AF9CE295}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF49.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID39D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID525.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3EB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e5863da.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID546.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5863d6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID535.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E25.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B97.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI706C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70AC.tmp	msiexec.exe
File created	C:\Windows\Installer\e5863d6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI681D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5863da.msi	msiexec.exe
File created	C:\Windows\Installer\e5863df.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SH9599034.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
656	msedge.exe
656	msedge.exe
4196	msedge.exe
4196	msedge.exe
1080	identity_helper.exe
1080	identity_helper.exe
112	msiexec.exe
112	msiexec.exe
5072	SH9599034.exe
5072	SH9599034.exe
112	msiexec.exe
112	msiexec.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
112	msiexec.exe
112	msiexec.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5072	SH9599034.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1544	7zG.exe
Token: 35	1544	7zG.exe
Token: SeSecurityPrivilege	1544	7zG.exe
Token: SeSecurityPrivilege	1544	7zG.exe
Token: SeShutdownPrivilege	4136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4136	msiexec.exe
Token: SeSecurityPrivilege	112	msiexec.exe
Token: SeCreateTokenPrivilege	4136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4136	msiexec.exe
Token: SeLockMemoryPrivilege	4136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4136	msiexec.exe
Token: SeMachineAccountPrivilege	4136	msiexec.exe
Token: SeTcbPrivilege	4136	msiexec.exe
Token: SeSecurityPrivilege	4136	msiexec.exe
Token: SeTakeOwnershipPrivilege	4136	msiexec.exe
Token: SeLoadDriverPrivilege	4136	msiexec.exe
Token: SeSystemProfilePrivilege	4136	msiexec.exe
Token: SeSystemtimePrivilege	4136	msiexec.exe
Token: SeProfSingleProcessPrivilege	4136	msiexec.exe
Token: SeIncBasePriorityPrivilege	4136	msiexec.exe
Token: SeCreatePagefilePrivilege	4136	msiexec.exe
Token: SeCreatePermanentPrivilege	4136	msiexec.exe
Token: SeBackupPrivilege	4136	msiexec.exe
Token: SeRestorePrivilege	4136	msiexec.exe
Token: SeShutdownPrivilege	4136	msiexec.exe
Token: SeDebugPrivilege	4136	msiexec.exe
Token: SeAuditPrivilege	4136	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4136	msiexec.exe
Token: SeChangeNotifyPrivilege	4136	msiexec.exe
Token: SeRemoteShutdownPrivilege	4136	msiexec.exe
Token: SeUndockPrivilege	4136	msiexec.exe
Token: SeSyncAgentPrivilege	4136	msiexec.exe
Token: SeEnableDelegationPrivilege	4136	msiexec.exe
Token: SeManageVolumePrivilege	4136	msiexec.exe
Token: SeImpersonatePrivilege	4136	msiexec.exe
Token: SeCreateGlobalPrivilege	4136	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeShutdownPrivilege	1544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeCreateTokenPrivilege	1544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1544	msiexec.exe
Token: SeLockMemoryPrivilege	1544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1544	msiexec.exe
Token: SeMachineAccountPrivilege	1544	msiexec.exe
Token: SeTcbPrivilege	1544	msiexec.exe
Token: SeSecurityPrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
1544	7zG.exe
4136	msiexec.exe
1544	msiexec.exe
4136	msiexec.exe
1544	msiexec.exe
2024	msiexec.exe
2024	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe
5072	SH9599034.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 1648	656	msedge.exe	81
PID 656 wrote to memory of 1648	656	msedge.exe	81
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 3608	656	msedge.exe	83
PID 656 wrote to memory of 4652	656	msedge.exe	84
PID 656 wrote to memory of 4652	656	msedge.exe	84
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85
PID 656 wrote to memory of 3516	656	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ComPg.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa22f646f8,0x7ffa22f64708,0x7ffa22f64718
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,13957374759900721872,9012428982065013789,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3756

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Recib.Spei_Ref.620vfo\" -spe -an -ai#7zMap17908:104:7zEvent989
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1544

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Recib.Spei_Ref.620vfo\Recib.S.P.E.I_Ref.231029.msi.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D36F8D7216E1CB032E3630350194E561
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:644
- - C:\R455dAADR\SH9599034.exe
    "C:\R455dAADR\SH9599034.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:5072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 083E72B3D5EBE460DE659EA1C9A08A16
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EB9D7961F600E3808AE62B292E5DA854
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3700

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Recib.Spei_Ref.620vfo\Recib.S.P.E.I_Ref.231029.msi.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1544

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Recib.Spei_Ref.620vfo\Recib.S.P.E.I_Ref.231029.msi.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5863d9.rbs

Filesize
768B

MD5
b6a4fc401812550721d49f00efb7914e

SHA1
df3b60eb6014db7f2f844723a7d968880bf1c491

SHA256
ea78f7419cd634afcaa357432de0eef7fd4432dc60e4dac0bc4d7c1b34bc3ac2

SHA512
fdc39a7864b352ec30d78669758e109b3d6c349f412ffbe1f3ca4da9a3abff4fd905967602704ca4a4c604d7144e196e1989b5bfe013667c683cf30d08e897b2

Download Submit
C:\Config.Msi\e5863dd.rbs

Filesize
1KB

MD5
5f66150f9d0521838a9f1d305d20f50e

SHA1
a13a35e3de5c4be9e6ab974afa6c1e042d80e5bd

SHA256
95b0c05a7aa541d2524930d0252372650891a53189f8e4a07a0c7a2cd3ef3217

SHA512
057f9b327f189f2db9f529c39690c808587b388e45899b2d6e6074155b288ffe0a36b6af2993ba241f457a92ebc1047797ff9f9f4752daa7513517ddc08dbadd

Download Submit
C:\Config.Msi\e5863de.rbf

Filesize
136KB

MD5
18e05cc6a3ea3ad91a462a443df1eea8

SHA1
e205653c99919b54fe12248de5a399cdffaac453

SHA256
4fd1d0d5ffcc91fed1cdd3e6dfe9d835cfd0b8594ba4c753df7641f66498cb11

SHA512
6bbfc66f6bf0d94470146032de0f6f381e0c0431d901d4bf16d91ac423a7f112c5d6b8bf91b732173edd2c059174dde75a367f05dfbeda3adb1e383adda67776

Download Submit
C:\Config.Msi\e5863e2.rbs

Filesize
1KB

MD5
ffaa76d813d60d4479ee06460eec06d7

SHA1
a9f64fbdc76b26c91e838e91e750bc99bb120d84

SHA256
8c38425eed6881840a9919c27f2a4c9812c977d9fcda380605c4fc9fdfd38ffc

SHA512
a9b7fb028a437dd6d66e85e9d4024af459ca303a148bd40de6ff58622681c05907f6b1ae4bfd98099ddf74aba9165d87e88d31efbed8d8ed65cc06abb63a26a2

Download Submit
C:\R455dAADR\HumbillQT5.dll

Filesize
1.5MB

MD5
9e5aa15a31eb279cc89aa4aab29e5611

SHA1
8534d576fa9e9b1b5d4cfe697b71d0a87a379381

SHA256
d76c62368c4460ba683893adea061652900ba9cc923fe30585b8a169f58baa8a

SHA512
2c0fdd5170ba82a47884ceefa0c83d9cd9d740eb7fb18a7ec3baec76c8c6f890e2397dff65baf6197e1690e2e8765bb081c6a1d91bcc7f4ea2a34616832a9ea6

Download Submit
C:\R455dAADR\SH9599034.exe

Filesize
9.1MB

MD5
74d3f521a38b23cd25ed61e4f8d99f16

SHA1
c4cd0e519aeca41e94665f2c5ea60a322deb3680

SHA256
1d822b3faabb8f65fc30076d32a95757a2c369ccb64ae54572e9f562280ae845

SHA512
ec1c8b0eb895fd8947cad6126abc5bca3a712e42475228b9dcb3496098e720abb83d4cba4621edbd8d3ad7f306a5f57ced9c2c98fe2c2d0c8ebbbf99d7faf0f1

Download Submit
C:\R455dAADR\unrar.dll

Filesize
174KB

MD5
4289541be75e95bcfff04857f7144d87

SHA1
5ec8085e30d75ec18b8b1e193b3d5aa1648b0d2e

SHA256
2631fcdf920610557736549e27939b9c760743a2cddec0b2c2254cfa40003fb0

SHA512
3137a7790de74a6413aca6c80fd57288bcc30a7df3a416f3c6e8666041cd47a9609136c91405eee23224c4ae67c9aebbba4dd9c4e5786b09b83318755b4a55fd

Download Submit
C:\R455dAADR\x3085932623

Filesize
13.8MB

MD5
58b0dcf319033e61d251f5fce05b2801

SHA1
fa9f4b7f60a28f544829e2fa1aa2f254963d7249

SHA256
b79a595cdfac6850b0d8c652bcb6e00d44f31c2d10d20f526b1a029c0c07e489

SHA512
4b8867df31bd97e1f863dcb11b2905f01776d178ec72fe3b1645ab0d84ba06458ee9a54cc5897947af2a39abc752aa8c3524fe8f548b27ede577aaeb7a65a864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
1ba807dff113f64ceb3a4b8eb06b430b

SHA1
d3b5191e37fb2662eca40cd87f4e9caeb3893993

SHA256
5c758fedd51f8e100571438f0d21511c95488aa8bc5ac4b751ed5f349f86e047

SHA512
dcdaa5e579874521d82820fe236fd25c8916738534335f7fba02a426199a756e1b2b9e5274af7809ce48adc3f86793544bf9ef8e175270274c884823404d1f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4342383587ae12272f3c377cba3ad0fd

SHA1
8c11611427db2a2d2d869d09c5fe6c84deb0b21a

SHA256
02e69c40a5fd9f092b6bc73a0e407ee90364494de4af8a8886076d1e5bd81153

SHA512
ff0bad39c24053f7bd0e07931e9f9a2bb1bd9aa4673d869f003406e354050f78d933bf2cc699fc3d14d654ded003f2c61f1482190e63f2ae8c590fbc6ea08e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93e2ae34adc9ccd67c1f33669d39d504

SHA1
b4564fd7ee25e4597b1da8064d1f2e17a65f842c

SHA256
1002d4059e9516fc36c1cf5b4859481b001d556063588261ba443ac919f36709

SHA512
846ab72e662cfeb3bebecaf20192e5d676e4c0035d378c0ce710b69b1b8b5731834711453f58821ffc542254916c3bf599a9ca46a275689edbfa17344fe4c6b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5c5239822d786206751a6614e80dd66

SHA1
0f12f486895299d2cef62a1ad3fcd2a19f1e4c1f

SHA256
fb74e9555d0b7f9d7131665745122ab3de73c340e3626cc55c2a8efc63a1a1d6

SHA512
752bb01d94f689c001a6f3e9745c86402ea306a6bd18125dbcd962cf26be57714aca96db9f2db7b7635e9c00370c126ebcd86461109a7e3c5d501a751db1422a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db65d747ddd70063cec7a97702f8e4b0

SHA1
9ce7ad0a223ee3425a24142ee38dcaef79f034ab

SHA256
f8d7a2cb5800533e2ac72aa0de1dcc1cc91ea9b2cf694aa796dc6745dbcc0baa

SHA512
6117de19c18f48ad5894216665ee73bc142271ca85e4196346c530c9667487eac07fcf1f8c368587a95b546f1c2018b8f95dcd3c59ec24a64e47938944cfb6eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a24051db639aaef884ae0d457a126c6d

SHA1
df8d489cd30cc84ca2ddc58f41b34bd992478c4e

SHA256
ddc9c8b43b3e8c24486c1611301441ecf580a452d74657323a8dcd94fc36958e

SHA512
5640d76a0f3b0e7685d04adda44431fd34930ec982b87df2453f09b2b583bc86f233be691bcfb9bd4062ce47930be20a16d8a2daddf2565f0b165b9d4df0f0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6bb97bcf3facc9d6fc83fef035f70d54

SHA1
fa3e1d817b635ab4e757ba6e9edb54199836190b

SHA256
4477069664f8177d51de144e3f1220b1b94e32c40ea632749f1747f4b7413650

SHA512
935e6ddecdcb05d0910927037dd8f186fbca0f004860f54148aab7d2701eaa32b5abe7dc3075558602c1b92cfe5a1eb61052778bf74dd4478f5686944c2e1177

Download Submit
C:\Users\Admin\Downloads\Recib.Spei_Ref.620vfo.zip

Filesize
2.8MB

MD5
beb4db194ba601a6490a6333ba756c58

SHA1
2fe327ad19ca095f9d123f1ccab815db56e7682e

SHA256
dd533e918aaf557a762d9dc3f6a041e940f21d84127b095d8bceba1b4d5d2b7d

SHA512
2612cbb39a28079a5d423b9f203f531bafabe758d8e169d692035dd049513624a4cd92a41a205db1e48871f31a59a24197500e0a3012b5de8b614be185f12ffb

Download Submit
C:\Windows\Installer\MSI66A4.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
memory/644-164-0x0000000002A40000-0x00000000032B1000-memory.dmp

Filesize
8.4MB

Download
memory/644-146-0x0000000002A40000-0x00000000032B1000-memory.dmp

Filesize
8.4MB

Download
memory/2344-265-0x00000000031D0000-0x0000000003A41000-memory.dmp

Filesize
8.4MB

Download
memory/2344-277-0x00000000031D0000-0x0000000003A41000-memory.dmp

Filesize
8.4MB

Download
memory/3700-335-0x0000000002C30000-0x00000000034A1000-memory.dmp

Filesize
8.4MB

Download
memory/3700-332-0x0000000002C30000-0x00000000034A1000-memory.dmp

Filesize
8.4MB

Download
memory/5072-270-0x0000000009330000-0x00000000094B4000-memory.dmp

Filesize
1.5MB

Download
memory/5072-269-0x0000000009330000-0x00000000094B4000-memory.dmp

Filesize
1.5MB

Download
memory/5072-271-0x0000000009330000-0x00000000094B4000-memory.dmp

Filesize
1.5MB

Download
memory/5072-275-0x0000000000400000-0x0000000000D36000-memory.dmp

Filesize
9.2MB

Download
memory/5072-276-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-273-0x0000000009330000-0x00000000094B4000-memory.dmp

Filesize
1.5MB

Download
memory/5072-274-0x0000000009330000-0x00000000094B4000-memory.dmp

Filesize
1.5MB

Download
memory/5072-272-0x0000000009330000-0x00000000094B4000-memory.dmp

Filesize
1.5MB

Download
memory/5072-295-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-314-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-267-0x0000000009330000-0x00000000094B4000-memory.dmp

Filesize
1.5MB

Download
memory/5072-268-0x0000000009330000-0x00000000094B4000-memory.dmp

Filesize
1.5MB

Download
memory/5072-221-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-348-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-352-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-359-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-370-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-374-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-376-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-378-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-380-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-382-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download
memory/5072-392-0x00000000054D0000-0x0000000007CCA000-memory.dmp

Filesize
40.0MB

Download