agenttesla | hxxps://mega[.]nz/file/1K4VVTrb#-2pUw2hpv06KAplmE-VfpGwD5sLh2T6KiXIA_ZRyuQ8

Analysis

max time kernel
194s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/1K4VVTrb#-2pUw2hpv06KAplmE-VfpGwD5sLh2T6KiXIA_ZRyuQ8

Score

10^/10

agenttesla discovery evasion keylogger spyware stealer themida trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/4620-364-0x000001E770D30000-0x000001E770F44000-memory.dmp	family_agenttesla

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VIKING BYPASS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VIKING BYPASS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VIKING BYPASS.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VIKING BYPASS.exe

Executes dropped EXE 3 IoCs

pid	Process
4620	VIKING BYPASS.exe
2592	VIKING BYPASS.exe
4796	VIKING BYPASS.exe

Loads dropped DLL 3 IoCs

pid	Process
4620	VIKING BYPASS.exe
2592	VIKING BYPASS.exe
4796	VIKING BYPASS.exe

Themida packer 26 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000500000001e553-351.dat	themida
behavioral1/memory/4620-353-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4620-357-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4620-356-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4620-355-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4620-358-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4620-366-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4620-370-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/2592-375-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/2592-378-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/2592-379-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/2592-377-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/2592-380-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4620-386-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/2592-390-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4620-392-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/2592-395-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/2592-398-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4796-401-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4796-404-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4796-403-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4796-405-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4796-406-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4796-414-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4796-417-0x0000000180000000-0x0000000181261000-memory.dmp	themida
behavioral1/memory/4796-419-0x0000000180000000-0x0000000181261000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VIKING BYPASS.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4620	VIKING BYPASS.exe
2592	VIKING BYPASS.exe
4796	VIKING BYPASS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\clickk	VIKING BYPASS.exe
File created	C:\Windows\clickk	VIKING BYPASS.exe
File created	C:\Windows\clickk	VIKING BYPASS.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	VIKING BYPASS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	VIKING BYPASS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	VIKING BYPASS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	VIKING BYPASS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	VIKING BYPASS.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
3956	taskkill.exe
4860	taskkill.exe
2748	taskkill.exe
3060	taskkill.exe
2864	taskkill.exe
2260	taskkill.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
4588	msedge.exe
4588	msedge.exe
3600	identity_helper.exe
3600	identity_helper.exe
3420	msedge.exe
3420	msedge.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
4620	VIKING BYPASS.exe
2592	VIKING BYPASS.exe
2592	VIKING BYPASS.exe
2592	VIKING BYPASS.exe
4796	VIKING BYPASS.exe
4796	VIKING BYPASS.exe
4796	VIKING BYPASS.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: 33	5036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5036	AUDIODG.EXE
Token: SeRestorePrivilege	4488	7zG.exe
Token: 35	4488	7zG.exe
Token: SeSecurityPrivilege	4488	7zG.exe
Token: SeSecurityPrivilege	4488	7zG.exe
Token: SeDebugPrivilege	4620	VIKING BYPASS.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	2592	VIKING BYPASS.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	4796	VIKING BYPASS.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4488	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 3712	4588	msedge.exe	84
PID 4588 wrote to memory of 3712	4588	msedge.exe	84
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 2588	4588	msedge.exe	85
PID 4588 wrote to memory of 1072	4588	msedge.exe	86
PID 4588 wrote to memory of 1072	4588	msedge.exe	86
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87
PID 4588 wrote to memory of 1816	4588	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/1K4VVTrb#-2pUw2hpv06KAplmE-VfpGwD5sLh2T6KiXIA_ZRyuQ8
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97c7046f8,0x7ff97c704708,0x7ff97c704718
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1916 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,11070957043209752300,13988970107653676692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4728

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\" -ad -an -ai#7zMap18695:100:7zEvent16798
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4488

C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\VIKING BYPASS.exe
"C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\VIKING BYPASS.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe"
  2⤵
  PID:5052
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM AndroidEmulatorEnEx.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM adb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4860

C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\VIKING BYPASS.exe
"C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\VIKING BYPASS.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe"
  2⤵
  PID:2928
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM AndroidEmulatorEnEx.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM adb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3060

C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\VIKING BYPASS.exe
"C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\VIKING BYPASS.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe"
  2⤵
  PID:1852
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM AndroidEmulatorEnEx.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM adb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VIKING BYPASS.exe.log

Filesize
1KB

MD5
14c556dab281724a577a1e124d123bb7

SHA1
51df0cbd27c4add4b0d995f22cbf070c75a17948

SHA256
a42b928edd8fb404e6ef17635139d05af866faedf86a2930def6e275a165957a

SHA512
1efc48f55d9d56884533f3b0cba20abb5d99373c3b23ee55a5d9583dd9653aed35dc208130a7e5933ac325064ccc9ba3fe189aff5f12d805548176fe4da76875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
8d32af62d63d0c41cca809a7fbf141a0

SHA1
1aa4eaeba2725cf98b30cbf99ba3363595cccbcf

SHA256
30ecb84c060845db08eda0e65420b8290a1ea0bd5d1d16d4a0e37da2ba05292b

SHA512
95390d3362cc42c39e601e51686f87714063a47130da995033f7ea5d0197d5a1c839db7053ac5ac3c966deb8f08185bd238cccd35dd1740148c138aafb6ac916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ba70fd22ee0c967881b3ffdf7996ac2

SHA1
77b8236f5c56ec49f5d6f48ebf1eb03511921840

SHA256
dbf1f18f20265c56d0b26d8bc320c98c86bcb250169049ab448e010618c7e77a

SHA512
33151ec13e53dadfd286f823ee591bcf9a1ceb157cdb8c21acaef97394809cff280f86e0ecdfc93970d35e47c1f733dd04860ac2eb7e9e955fcd704c58ed2cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ce32ce9e889fffe4cfc453641d0ac778

SHA1
0f7f111562c671b8a3b0a1c6d4ec0d82abcc1dfe

SHA256
f28b1396dcdf2697d5eacf710fc4d7b41d459c1182dc3703ca45e4ae622c4260

SHA512
7bbf06ea42e6821446fc1f7b1c61f8747b0236cb30baad8baa1228f84c2c68d415725d13b6b441ba8375e04f9e30f5af417312ba119d573eb73d3a104a369324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f576940ea50b8822d90b1acb275169f

SHA1
8ee7738a740a0bf7b80a3abf2eb7903348e4e025

SHA256
ade1aa1d39884319213f9e1ed17f3288af1f7a66cba88c5277a87252d9addabb

SHA512
bb94fe79c0a661b856a70a729b8dc3eb0c63e33ba6a40b517e0cd464a4295d073eb32149454df5a2a3187f7643c57f83fcaa08a7d43aa06f4ddc34785ff05ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20f8db4057e9a9ac90d701a5e49da2cc

SHA1
8313812b1429bf601c5803cf447c1a46d0b76fa4

SHA256
629f3759d63c9eb489b8f0a32b0b80202f4ccf5962a12c5dc9f3fb3a35922d63

SHA512
710f4dbdfb30760e84e1bb86a0c916a595079513cda0a082559eaac74bdbded0a4e864496b3da7ac42756ce36c468d0b10214a23773f7774e75c0739ec9ea460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
605400849203d5ac6ba19ea78a7a63ba

SHA1
13afc28f4c881fffb1fab61a5f673124c1c55822

SHA256
fa116b6cbcc39417d1f40b1ef9e57261282c26cd1adb474c1fb7fa3e7429f4b7

SHA512
42748146a98cea379b85710d7ced629aa172582030690d5d1ef7e769090514285dfbe7c9be056f3eb4a86328c0826e1919e9d090da1f3cbe3894df0c3276c87d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58240d.TMP

Filesize
48B

MD5
70d25ba29ce919cd1392ad311002bdd7

SHA1
1ddfa53189952eb1c5e081af6f47c106bf75602b

SHA256
624c9dfa8693040a244c414e9d2ec5e89f46ee3cc10db210b157e6574b0ecdd3

SHA512
a71b91432e9d0d0f7ad8bae3353721f65dfc86e43d514dd7659b91dbf13c343a2ab3b41936249dc8aa17f72acc745f61e6d90fb17062ed54faa2f0ce4890a77e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5f26c4540cf75a3af1e35ac828848cb

SHA1
45d756177a4a24c9b5dee296e52cb07887c19c88

SHA256
b9ddbee8cd430e1e5ea7a3d461c6d462381bc4fe62220769e661f2478cab8ee4

SHA512
d0aa6006757114f5fc50925f9ba4491e1ea7c27b7437ba849a953f0a630e39757fb743fd50da90e2a6ded1b3c9c05aaebfbc72c146dcec9f2293ef48960bb53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
422bbb6e6f1a1963fb04eb16f1d4fb08

SHA1
734e0d4ec1327da98edf4e3e556ab13999cddc58

SHA256
a4504837c92b86261d0c3476177c0bf01612b819703e3fbcfbafe982b716a7b8

SHA512
930a8496fc483da97d3c2ee37e5c6ff2c001c071b3c9475694006245bdddc711598f292c86823595e81a6fccbe1a67ebafd5c0e316386949f6255bb0eccf4ece

Download Submit
C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix.rar

Filesize
27.5MB

MD5
b2efb8690e7d20623d8d9c1170debc75

SHA1
999c1f90b97c45d07d7ee5f7f2f44f74e7e202b5

SHA256
a9ceef6df9b8e6270ecdb1f6c4af88376c2f2dd029838d52772f1589bac95e07

SHA512
cafa3337c3983e7d4b4ed6a3456dd70f4a6ff7efdfc181c4d91d3853400c75e1102f0347a907d489d0f04be3fd307ba7752ef1de0510e4f09ce6ebeb97764803

Download Submit
C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\Runtime64.dll

Filesize
9.4MB

MD5
1536bbb84ce32cfcaf72dbcfd5949401

SHA1
1c6742ed78c708672e06f2c8a4c989bc5e5a838d

SHA256
e3bcb8faecc22a443d41312b80e798a6358749d8b266a1bfc66ede45009e7b92

SHA512
387dda2304d0da1ed732c3d4a8f49987e5998251634cd8b449dd4821a0f7834830d7caaea5a0616ed5810ac4595d8355645266856cc8ba1e4bfed50c874c755e

Download Submit
C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\VIKING BYPASS.exe

Filesize
18.7MB

MD5
408024bed77cc8d2c528d4552c0f9e31

SHA1
7080b92aa1931476b2b54669addf0b0375123bc1

SHA256
e487119e7a741d545c4ab95ee46a2e29fec0328922838849ff5b6938b46eec8f

SHA512
d6d1545c63bd0fbb6b28099d4582575dbd8e304c8b1371a899e4e52bb293f17bf1e1593c03f81a4da5a76dd71a4f90c80a0a5409fe3e039f54e9d8b47a1ed0b5

Download Submit
C:\Users\Admin\Desktop\VIKING BYPASS 3.0 Fix\VIKING BYPASS.exe.config

Filesize
186B

MD5
b51c130a957051ba9fb2245bf76fb6f6

SHA1
42181e5745daab2a0e8cf87693142828306f9bda

SHA256
7921098e47e894412fdfd0cafe0f88cc68497740998eac17c68c00129069d803

SHA512
fa2ac3eff5d51aea7acc9cf6aa018a77fae295d55c5bf808c9d7048c801baf4626568f00fb001a9f2780c46dce294482cfeb3045aabe139ddc557c0d3bc11640

Download Submit
C:\Windows\clickk

Filesize
17KB

MD5
b58bdf0deec0458596ab84ca3cf8d413

SHA1
96abcebe2df9af49074b68232b6d8f6405fcb468

SHA256
b8c721277c65874095f25a7961cd866c5557db31373e1e24519f4ee53ae83ace

SHA512
8f3a233e4d2854d86ff41908212f61e8a9865b24eac223a318e54457b117f0853f6b84f7b593df0727886a28c998be66478deeb85ff43b38527d7614e2f84cf8

Download Submit
memory/2592-381-0x00007FF984F40000-0x00007FF98508E000-memory.dmp

Filesize
1.3MB

Download
memory/2592-375-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/2592-398-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/2592-395-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/2592-390-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/2592-380-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/2592-377-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/2592-379-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/2592-378-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-365-0x000001E770F40000-0x000001E772F3E000-memory.dmp

Filesize
32.0MB

Download
memory/4620-358-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-367-0x000001E773230000-0x000001E773242000-memory.dmp

Filesize
72KB

Download
memory/4620-366-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-370-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-354-0x00007FF4FBEE0000-0x00007FF4FC0CF000-memory.dmp

Filesize
1.9MB

Download
memory/4620-364-0x000001E770D30000-0x000001E770F44000-memory.dmp

Filesize
2.1MB

Download
memory/4620-361-0x000001E770600000-0x000001E7706D2000-memory.dmp

Filesize
840KB

Download
memory/4620-363-0x000001E770600000-0x000001E7706D2000-memory.dmp

Filesize
840KB

Download
memory/4620-360-0x000001E770600000-0x000001E7706D2000-memory.dmp

Filesize
840KB

Download
memory/4620-359-0x00007FF984F40000-0x00007FF98508E000-memory.dmp

Filesize
1.3MB

Download
memory/4620-353-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-386-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-357-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-392-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-350-0x000001E770600000-0x000001E7706D8000-memory.dmp

Filesize
864KB

Download
memory/4620-355-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4620-349-0x000001E76CF20000-0x000001E76E1DE000-memory.dmp

Filesize
18.7MB

Download
memory/4620-356-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4796-401-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4796-404-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4796-403-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4796-405-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4796-407-0x00007FF97C480000-0x00007FF97C5CE000-memory.dmp

Filesize
1.3MB

Download
memory/4796-406-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4796-414-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4796-417-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download
memory/4796-419-0x0000000180000000-0x0000000181261000-memory.dmp

Filesize
18.4MB

Download